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This  rea«arch  axasinea  the  affects  of  coaputer  viruses*  to  the 
PMO.  Computer  viruses  continue  to  be  a  rea}.  threat  to  all 
computing  systaas,  to  include  traditional  and  wireless  based 
networks,  lie  will  examine  ways  of  mitigating  this  new  threat. 
Trends  in  increased  computer,  operating  system,  and  network 
standardisation,  as  well  as  increased  use  of  distributed 
systems,  and  computer  connectivity  enhance  this  viability  of 
attacking  targeted  hosts  via  radio  frequency. 

hardware  acquisition  managers,  like  software  acquisition 
managers  (Dobbins,  1994)%  must  follow  basic  rules.  Program 
managers  must  recognise  that  both  hardware  and  software 
issues,  just  as  software  Issues  alone,  can  kill  them. 

The  rapidly  growing  popularity  of  wireless  LANs  is 
proliferating  intruders'  opportunities  to  infect  computing 
systems  via  radio  freq[uency  (RF) .  Telecommunication  hardware 
and  software  components,  each  component's  specifications,  and 
the  technology  to  inject  computer  viruses  via  RF  communication 
channels  are  proven  and  readily  available.  Unauthorized  users 
can  purchase  "telecommunications  Saturday  night  specials"  at 


'Defined  as  a  "rogue  program"  throughout  the  dissertation 
to  denote  any  type  of  malicious  code,  such  as  logic  and  time 
bombs,  worms,  and  trojan  horses 


many  alactronics  outlets  to  insert  surreptitious  code  into  RF 
coasBunication  channels. 

The  ieplications  for  the  PMO  are  eind-boggling  -  aircrafts, 
weapon  systees,  "smart**  boeb  technology,  and  C’  face  an 
additional  insidious  threat,  which  may  gravely  affect  the 
security  of  the  United  States. 


ABSTMCT 


This  dissertation  dsstonstratss  that  Inadequately  protected 
wireless  LANs  are  eore  vulnerable  to  rogue  program  attack  than 
traditional  LANs.  Wireless  LANs  not  only  run  the  same  risks 
as  traditional  LANs,  but  they  also  run  additional  risks 
associated  with  an  open  transmission  medium.  Intruders  can 
scan  radio  waves  and,  given  enough  time  and  resources, 
Intercept,  analyze,  decipher,  and  reinsert  data  Into  the 
transmission  medium. 

This  dissertation  describes  the  development  and  instantiation 
of  an  abstract  model  of  the  rogue  code  insertion  process  Into 
a  DOS«based  wireless  communications  system  using  Radio 
Frequency  (RP)  atmospheric  signal  transmission.  The  model  is 
general  enough  to  be  applied  to  widely  used  target 
environments  such  as  UNIX,  Macintosh  and  DOS  operating 
systems.  The  methodology  and  three  modules,  the  prober, 
activator,  and  trigger  modules,  to  generate  rogue  code  and 
Insert  it  into  a  wireless  LAN  were  developed  to  illustrate  the 
efficacy  of  the  model. 

Also  Incorporated  into  the  model  are  defense  measures  against 
remotely  introduced  rogue  programs  and  a  cost^benefit  analysis 
that  determined  that  such  defenses  for  a  specific  environment 
were  cost-justif led. 
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Chapter  1  XllTRODUCTXOtl 


Rogue  programs^,  including  viruses,  wonts,  and  trojan  horses, 
have  existed  for  some  time^.  Writers  have  devoted 
periodicals*,  security  journals  ,  newspapers  ,  and  entire 
books''  to  rogue  programs.  Rogue  programs  continue  to  attack 
computer  systems*  as  well  as  local  area  networks  (LANs)  . 
Rogue  programs  will  continue  to  thrive  as  long  as  operating 
systems*  vulnerabilities  exist  and  LANs  are  proliferating. 
Currently,  there  are  over  4000  rogue  programs*  and  93.2%  of 
all  Installed  PCs  are  expected  to  be  networked.  Also, 
wireless  lANs,  which  were  first  introduced  in  1985*  ,  show 
promise.  The  wireless  LAN  market  generated  about  $3  million 
in  1990,  some  $10  million  in  1991,  and  $40  million  in  1992. 
Forecasts  for  1997  range  from  over  $200  million  to  nearly  $1 
billion*  . 

This  dissertation  shows  that  Inadequately  protected  wireless 
LANs  are  more  vulnerable  to  rogue  programs  attack  than 
traditional  LANs  because  wireless  LANs  have  not  only  the  same 
risks  as  traditional  LANs  but  also  have  the  risks  associated 
with  open  transmission  mediums  (radio  waves) .  People  who  want 
to  insert  rogue  programs  into  wireless  LANs  can  scan  radio 
waves  and  Intercept,  analyze,  decipher,  and  reinsert  data  into 
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the  transmission  medium. 

An  abstract  model  of  the  rogue  code  insertion  process 
demonstrates  this  claim.  The  abstract  model  is  general  and 
applies  to  widely  used  target  environments  such  as  the  UNIX, 
Macintosh  and  DOS  operating  systems.  The  model  is 
instantiated  on  a  DOS~based  system  that  uses  radio  frequency 
(RF)  and  employs  a  Local  Area  Wireless  Network  (LAWN)  product. 
The  Insertion  is  received  undetected,  without  errors  and  later 
executed  surreptitiously  by  the  targeted  host. 


1.1  Related  Work 

Although  there  are  numerous  articles  on  wireless  LANs,  only 
one  by  liSthrop  discusses  their  vulnerabilities^  .  Lathrop's 
paper  provides  an  overview  of  wireless  LANs  and  concludes  that 
wireless  LANs  face  not  only  all  of  the  risks  associated  with 
traditional  cable~based  LANs  but  also  the  additional  risk  that 
an  open  transmission  medium  imposes. 

This  dissertation  is  the  first  to  develop  an  abstract  model  of 
the  rogue  code  insertion  process  into  a  targeted  network  and 
then  instantiates  it  on  a  personal  computer  system.  This 
abstract  model  has  three  components :  parameters  and 
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requirements  definitions,  defensive  measures  and  a  cost- 
benefit  analysis. 


The  required  parameters  and  requiremants  definition  component 
of  the  abstract  model  is  analogous  to  the  method  used  by  the 
Internet  worm  to  attack  hosts.  Whereas  the  Internet  worm 
consisted  of  two  parts,  a  main  program  and  a  bootstrap 
program,  the  abstract  model  uses  three  modules  (prober, 
activator  and  trigger  modules)  for  basically  the  same  purpose. 
See  citations^  for  a  detailed  discussion  of  the  Internet 
worm. 


1.1. I  Intrusion  Detection  Systems  (1DS8) 

Defensive  measures  and  the  access  vulnerability  likelihood 
(VL)  of  the  cost -benefit  analysis  of  the  abstract  model  are 
similar  to  intrusion  detection  systems  (IDSS) .  IDSS  monitor 
access  control;  the  VL  is  used  to  perform  a  quantitative 
analysis.  For  example,  IDSS  monitor  user  activity 
continuously  to  detect  any  suspicious  activity  as  it  occurs’ 
by  comparing  a  user's  current  behavior  to  his/her  historical 
behavior.  The  VL  is  used  to  compute  how  the  rogue  code 
infiltrates  the  computer  system.  Accessibility  issues  include 
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topological,  vector  and  functional  factors.  Both  are  used  to 
prevent  unauthorized  access;  one  prevents  breaking  in;  the 
other  (VL)  provides  the  likelihood  of  breaking  in.  They  are 
*  both  computer-based  security  measures.  There  are  currently 

nine  Intrusion  detection  systems  in  use^ 

m 

I 

I 

I  1.  Multlcs  Intrusion  Detection  and  Alerting  System 

(MIDAS) 

2.  Intrusion  Detection  Expert  System  (IDES) 

3.  ComputerWatch  Audit  Reduction  Tool 

4 .  Haystack 

5.  Information  Security  Officer's  Assistant  (ISOA) 

6.  Network  Anomaly  Detection  and  Intrusion  Reporter 
(NADIR) 

7.  Network  Security  Monitor  (NSH) 

8.  W&S 

9.  Distributed  Intrusion  Detection  System  (DIDS) 

The  Multlcs  intrusion  Detection  and  Alerting  System  (MIDAS) ^ 
was  developed  by  the  National  Computer  Security  center  to 
monitor  the  government  Multlcs  system;  it  has  been  operational 

s 

since  1988  and  it  encodes  "a  priori**  heuristic  rules  that 
define  an  intrusion.  Midas'  rules  attempt  to  detect  all 
penetrations  including  rogue  program  infection  and  misuse. 
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MIDAS  accomplishes  this  detection  by  using  four  types  of 
heuristic  rules: 

1.  Rule  1  deals  with  current  behavior  to  detect  those 
actions  which  in  themselves  (e.g.,  in  Isolation)  may 
appear  suspicious. 

2.  Rule  2  uses  statistical  user  profiles  to  detect  any 
action  which  deviates  from  the  user's  observed  recorded 
past  behavior.  These  profiles  list  the  operator's 
commonly  used  commands,  typing  speed,  normal  access 
times,  and  location. 

3.  Rule  3  contains  a  global  system  profile,  which 
characterizes  the  normal  use  of  the  system.  For 
example,  excessive  use  of  the  copy  command  would 
indicate  suspicious  activity. 

4.  Rule  4  sequences  commands  which  characterize  known 
or  postulated  rogue  program  attacks.  Hence,  such 
attacks  can  be  detected  prior  to  causing  any  damage. 

Currently,  MIDAS  monitors  the  use  of  Dockmaster.  Note  that 
although  MIDAS  is  Implemented  on  the  Multics  system,  with  some 
modifications  and  changing  of  rules  (depending  on  the  system 
used) ,  it  can  supposedly  be  adapted  to  any  system. 
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Th«  Zntrusleii  MtaetloB  Bsp^rt  systMi  (XDM)*  ,  being  developed 
at.  SRI'e  Coaputer  Science  Laboratory  since  1985,  uses 
statistical  algorlthas  to  observe  user  behavior  to  detect  any 
«  anomaly  from  the  accepted  documented  normal  profile.  IDES 

adaptively  learns  what  is  normal  for  both  Individual  users  and 
overall  system  behavior.  It  also  uses  an  expert  system  that 
encodes  kno%m  intrusion  scenarios,  known  system 

vulnerabilities,  and  other  violations  of  a  system's  designed 
security  policy.  IDES  discerns  suspicious  activity  via  a  rule 
base.  IDES  has  been  completely  redesigned  to  accomplish  its 
intended  objectives.  It  is  modular,  extensible,  capable  of 
monitoring  both  heterogeneous  and  homogenous  target  machines, 
and  providing  protection  in  a  real-time  mode.  SRI  is  in  the 
process  of  enhancing  its  current  IDES  prototype,  implemented 
in  1988  to  provide  a  device  which  will  become  a  tamper- 
resistant,  fault-tolerant,  extensible,  parallel,  and 

distributed  prototype  version.  This  new  version  will 
supposedly  be  more  robust,  reliable  and  powerful  than  the 
current  version.  There  are  currently  three  versions  of  IDES: 

1.  The  basic  IDES  system,  which  detects  any  anomalous 
system  activity  based  on  user  profiles; 

2.  The  Sun-IDES,  which  monitors  UNIX  and  uses  the  C2  Sun 
Unix  Audit  Trail;  currently  in  use  at  SRI  as  a  research 
prototype 
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3.  FOIMS-IDES,  which  monitors  databftss  uss  on  an  IBM 
■ainframa.  Tha  FBI  has  adoptad  FOIMS-IDES. 

IDES  andaavora  to  datact  rogua  program  panatrations  and  mlsusa 
are  basad  on  tha  pramlsa  that  any  exploitation  attempts  will 
Involve  abnormal  use  of  the  system.  Hence,  SRI  has 
accentuated  the  statistical  user  profiles  and  statistical 
analysis  of  user  activities  based  on  those  profiles. 

The  ComputerWatoh  Audit  Reduction  Tool^  ,  available  since 
September  1989,  was  developed  by  AT&T  Bell  Laboratories.  This 
tool  summarizes  audit  trails  and  highlights  anomalous  behavior 
via  detection  rules.  It  is  used  on  a  B1  version  of  the  UNIX 
system  V/MLS  operating  system  and  detects  attempted  break-in, 
masquerading,  many  types  of  mistakes  by  legitimate  users,  many 
types  of  denial-of-servlce  ventures  and  rogue  progreun 
penetrations.  It  can  also  detect  attacks  involving  more  than 
one  person. 

Haystack^  ,  developed  by  Los  Alamos  National  Laboratory,  is 
designed  to  assist  system  security  officers  to  detect  and 
investigate  any  type  of  exploitation  via  anomalous  events, 
security  improprieties,  and  summarizing  the  system's  audit 
trails  of  user  behavior.  Haystack  is  considered  cost- 
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aff«ctlv(ft  because  it  uses  Zenith  Z-248  and  Desktop  III  PC's. 
It  attenpts  to  detect  break-ins,  nasguerading,  any  type  of 
operating  systes  penetration,  denial -of -service,  and  various 
fores  of  ealiclous  use. 

The  Zafomatlen  Security  Officer's  Assistant  (ISOA)^  was 
developed  by  Planning  Research  Corporation  (PRC) .  It  is  a 
functional  real-tine  application  prototype  which  uses  a  set  of 
statistical  tools,  an  expert  system,  and  a  hierarchical  set  to 
perform  automated  auditing  and  network  monitoring.  ISOA 
compares  the  incoming  audit  data  with  a  set  of  expected 
events.  It  attempts  to  detect  break-ins,  masquerading,  and 
many  types  of  wrongdoing  by  legitimate  users;  PRC  is  in  the 
process  of  including  denial-of-service  and  rogue  program 
penetration  detection.  The  ISOA  is  currently  used  with  UNIX 
Sun  operating  system  C2,  and  the  IBM  AT  XENIX. 

The  Network  Anomaly  Oeteotion  and  intrusion  Reporter  (NADIR)’  , 
operational  since  August  1989,  was  developed  by  Los  Alamos 
National  Laboratory  (LANL) .  It  aids  security  managers  to 
detect  computer  abuse  and  penetration  and  attempts  to  detect 
break-ins,  denial-of-service,  many  types  of  automated  attacks, 
and  many  kinds  of  legitimate  users'  abuses.  NADIR  is 
specifically  designed  for  use  at  LANL. 
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The  network  Seourity  Monitor  (Man)*  ,  developed  by  University 
of  California,  Davis,  is  a  research  project  to  detect  many 
types  of  misuse  of  hosts  connected  by  a  IAN.  The  NSM 
prototype  is  currently  running  on  a  Sun  3/50.  The  target 
system  is  the  Ethernet  and  all  the  hosts  connected  to  it.  NSM 
will  intercept  all  message  traffic,  regardless  of  its 
destination,  for  examination.  Experimentation  on  a  live  IAN 
is  anticipated,  as  well  as  broadening  NSM  application  to  WANs 
and  other  platforms. 

,  developed  by  lANL,  is  a  computer  security  anomaly 
detection  system.  Its  inception  dates  to  November  1984. 
There  are  currently  two  versions  of  W*S  in  use  at  the 
Department  of  Energy  (DOE)  and  at  the  National  Computer 
Security  Center  (NCSC) .  A  third  version  is  in  experimental 
use  at  lANL.  wts  detects  anomalies  by  identifying  usage 
patterns  that  differ  from  historical  norms  and  compares 
current  system  activity  audit  records  to  rules  describing  past 
behavior  patterns.  WiS  is  especially  effective  in  detecting 
rogue  program  penetrations.  It  also  detects  other  security 
breach  attempts  similar  to  the  methods  used  by  the 
af or emen t i oned  sy stems . 
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The  Distributed  l&trusioB  Deteotion  Systeis  (DXDS)*  ,  developed 
by  Lawrence  Livermore  National  Laboratory  with  participation 
by  the  University  of  California,  Davis,  and  Haystack 
Laboratories  in  Austin,  Texas,  differs  from  the  other  IDSSs  in 
that  it  examines  activity  on  all  directly  "monitored"  hosts  on 
the  network  while  simultaneously  examining  network  activity 
itself.  It  has  been  in  Beta  testing  since  July  1992.  DIDS 
has  four  major  components: 

1.  The  host  monitor,  which  resides  on  each  host  computer 
on  the  network,  continuously  monitors  user  activity  by 
comparing  that  activity  with  user  profiles  or  particular 
"signatures"  of  Intrusive  behavior,  such  as  reading  or 
writing  files. 

2.  The  network  monitor  provides  similar  functions  as  the 
host  monitor  on  the  network. 

3.  The  DIDS  director  and  its  expert  system  (ES)  examines 
the  anomalous  behavior  or  suspicious  signatures  for 
legitimacy.  The  DIDS  director  notifies  the  user  of  any 
unauthorized  intrusions. 

4.  A  user  interface  displays  the  network's  security 
state,  including  the  level  of  suspicious  activity 
Inferred  by  the  OIOS  director. 


1.1.2  Cost-Banafit  Baalysis 

The  rationale  of  cost-benefit  analysis  is  that  when 
considering  a  proposed  technology,  the  costs  and  benefits  to 
be  expected  fro&  Its  implenentatlon  should  be  assessed;  and 
then  the  technology  or  improving  it  Is  adopted  only  if  the 
anticipated  benefits  outweigh  the  anticipated  costs.  The 
implementation  of  this  analysis  will  vary  in  accordance  with 
stated  assumptions^  .  There  are  a  number  of  cost  analysis 
methodologies  available*  . 

Safeguards  cost  in  the  cost-benefit  analysis  of  the  abstract 
model  was  adapted  from  formulas  that  Fred  Cohen*  devised  to 
describe  the  total  costs  per  year  of  rogue  program  defenses. 
Cohen  evaluated  the  costs  of  today's  widely  used  defenses  such 
as  scanners*  ,  monitors  ,  cryptographic  checksums  and 
integrity  shells*  .  His  20  costs  elements  were  reorganized  and 
condensed  into  7  elements  and  5  sub-elements  to  satisfy  the 
requirements  of  this  dissertation. 

Some  recurring  costs  were  incorporated  from  Linda  Rutledge's 
paper*  to  determine  communication  costs.  She  proposed  a  new 
method  for  secure  transmission,  called  the  Reference  Matrix, 
which  provides  a  technique  for  encoding  a  message  over  public 
switched  networks  using  a  spatial  transformation.  The  re- 
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curring  cost*  in  hsr  cost  comparison  of  ths  Rsfsrsnc*  Matrix 
and  othsr  sscurlty  mathods  vara  usad  to  datarmlne  the  conaun-* 
ication  costs  In  the  cost-banaflt  componant  of  tha  abstract 
modal.  Cost-banaflt  analysis  tachnlques  are  based  on 
traditional  cost-benefit  analysis  approaches*  . 

1.2  duamary  of  tha  Contributiem 

This  dissertation  makes  three  major  contributions. 

1.  Demonstrates  the  problem:  By  successfully  Inserting 
rogue  code  Into  a  wireless  network,  this  dissertation 
demonstrates  that  inadequately  protected  wireless  LANs 
are  more  vulnerable  to  rogue  program  insertion  than 
traditional  LANs. 

2.  Models  a  solution  and  Illustrates  the  instantiation  of 
the  solution:  This  dissertation  presents  an  abstract 
model  that  models  the  process  whereby  someone  uses  RF  to 
insert  a  rogue  code  into  a  targeted  host's  communication 
data  stream.  The  abstract  model  is  then  instantiated 
into  a  DOS-based  wireless  communications  system  using  RF. 

3.  Provides  cost-benefit  analysis:  This  dissertation 
analyzes  the  cost  of  safeguarding  the  wireless  LAN  or 
leaving  it  unprotected  and  concludes  that  (for  specific 
measures)  it  is  cost-effective  to  implement  controls  to 
protect  the  LAN. 
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1.3  org«nlB.\tic»n  of  tho  DiooortotioB 

Thtt  ronaindsr  cf  tho  dlsoartation  is  dividod  into  four 
chapter o.  Chapter  2  builds  on  previous  research  related  to 
rogue  program  characteristics,  computer  networks  and  their 
vulnerabilities,  wireless  LANs,  and  the  trends  that  increase 
the  feasibility  of  remotely  inserting  rogue  code  via  RF. 

Chapter  3  dove lope  an  aba tract  model  that  shows  how  the 
rogue  code  is  inserted  into  a  targeted  host  using  a  RF 
communication  channel.  The  chapter  discusses  the  reasons 
why  the  abstract  model  is  developed,  how  to  process  and 
verify  the  model's  instantiated  attack  mechanisms,  and  the 
components  that  comprise  the  model:  the  parameters  and 
requirements  necessary  to  apply  it  to  widely  used 
environments;  defensive  measures  and  the  cost-benefit 
analysis  that  determines  when  such  measures  are  cost 
effective. 

Chapter  4  instantiates  the  model  on  a  DOS-based  system  using 
a  Local  Area  Wireless  Network  (LAWN)  connection  to  insert  a 
rogue  program  via  RF  into  a  targeted  host  on  a  wireless  LAN. 
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Th«  last  chaptar  concludas  that  inauff iciantly  aafeguardad 
viralasa  LANs  ara  aora  vulnarabla  to  a  rogua  program  attack 
than  traditional  LANa.  This  chaptar  also  concludas  that  tha 
abstract  modal  davalopad  In  chaptar  3  can  ba  Instantlatad,  as 
chaptar  4  damonstratad  and  suggasts  tha  advisability  of 
conducting  rasaarch  to  protact  r a la tad  systams  such  as 
callular  phona  panatratlon  vulnarabllltles,  automatic  tallar 
panatratlon  tachnlquas ,  short  wava  vulnarabllltles,  electronic 
warfare,  and  satalllta  manipulation  applications. 
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Chapter  2  BACXQROUMD 


Chapter  2  provides  background  material  to  help  the  reader 
understand  chapters  three  through  five.  This  chapter  has  five 
sections:  section  2.1  delineates  the  rogue  program 
characteristics;  section  2.2  discusses  computer  networks  and 
their  vulnerabilities;  section  2.3  discusses  and  describes 
wireless  LANs;  section  2.4  describes  trends  that  increase  the 
feasibility  of  inserting  rogue  code  remotely,  and  section  2.5 
summarizes  the  chapter. 


2.1  Rogue  Program  Capabilities 

A  rogue  program  must  generally  have  three  essential 
capabilities  to  infect  programs  or  entire  systems  effectively. 
First,  because  infecting  a  single  file  may  be  inconsequential 
to  some  users,  the  rogue  program  may  be  able  to  replicate 
itself  to  multiple  files.  Second,  the  program  must  execute 
its  code  to  spread  the  infection.  This  contamination  may  be 
accomplished  by  either  executing  an  infected  program  or 
executing  the  rogue  program  code  via  the  operating  system's 
resources  such  as  booting  up.  Third,  the  rogue  program  code 
may  carry  a  payload  to  effect  whatever  task  for  which  the 
rogue  program  code  was  designed.  In  many  cases,  rogue 
programs  modify  a  bonafide  program  to  satisfy  the  above 


capabilities.  Sections  2.1.1  to  2.1.4  describe  how  rogue 
programs  infiltrate  hosts,  how  they  work,  what  they  look  like, 
and  how  they  attack. 

2.1.1  Rogue  Program  Infiltration 

There  are  many  ways  in  which  an  intruder  can  infect  a 
standalone  computer  or  a  network  node  with  a  rogue  program. 
Anytime  a  program  is  not  %nritten  by  the  user  himself  (or  is 
written  by  the  user  but  has  bugs) ,  and  is  executed,  there  is 
the  possibility  of  it  being  malicious.  When  a  user  gives 
another  user  or  another  machine  access  to  his  system,  he*  is 
risking  infection.  computer  systems  are  infected  via  an 
infected  disk  which  is  physically  placed  into  the  system,  or 
via  a  remote  transfer  mechanism,  such  as  electronic  mail.  The 
initial  infection  of  a  system  can  occur  by: 

1.  booting  a  machine  with  an  infected  disk 

2.  copying  and/or  executing  infected  software,  which 
may  be  loaded  from  diskettes,  obtained  over  a 
network  connection,  or  via  modem  on  other  input 
methods,  such  as  tape. 


"he"  geaerloally  demotes  a  male  or  a  female  user 
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2.1.2  Bow  Roguo  Prog.  Work 

For  this  Bsction  and  ths  rast  of  this  disssrtatlon,  unlsss 
stated  otherwise,  the  IBM  platform  Is  the  computing  system. 
When  an  infected  program  is  loaded  and  executed  in  the  main 
memory  of  the  computer  system,  it  can  infect  other  executable 
programs  such  as  COM,  EXE,  SYS  and  OVL  files.  While 
executing,  the  rogue  program  surreptitiously  directs  the 
operating  system  to  append  or  insert  a  copy  of  the  rogue  code 
into  other  programs.  Then,  when  the  newly  Infected  program  is 
Itself  loaded  and  axecuted,  the  rogue  code  takes  control  and 
performs  its  preprogrammed  functions,  which  generally  include 
self-propagation  as  well  as  performing  mischievous  or 
destructive  manipulations.  Depending  on  the  specific  type  of 
rogue  program,  the  rogue  code  may; 

1.  Remain  in  main  memory 

2.  Hide  in  secondary  memory  such  as  a  hard  or  floppy 
disk,  etc.  Likely  hiding  spots  include  executables, 
the  boot  sector,  root  directory,  bad  sectors,  and  the 
partition  table. 


2.1.2  The  Rogue  Program's  Structure 

The  one  common  characteristic  of  all  rogue  programs  is  that 
they  modify  or  insert  an  entity  such  as  a  program,  data,  or 
operating  system  into  a  targeted  host.  This  section  has  a 
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rogue  program's  modular  structure  as  modified  from  citation* 
which  is  valid  for  all  rogue  programs,  except  for  worms: 


Infector 

Carrier 

Mover 

Status 

The  above  design  and  ordering  of  components  are  used  for 
convenience.  In  practice,  a  rogue  program  may  neither  be 
modular ly  structured  nor  arranged  in  any  specific  order.  What 
is  important  are  the  following  functional  components. 

1.  The  inf ec ter  component  is  the  rogue  program  kernel 
which  contains  the  rogue  code.  This  component  contains 
all  the  routines  and  functions  to  target  and  attack 
potential  victims,  to  trigger  how  much  damage  to  inflict, 
to  identify  propagation  avenues,  and  to  evade  capture/de~ 
tection. 

2.  The  carrier  component  is  optional;  it  is  simply  a 
normal  program  within  which  the  rogue  program  code  has 
been  planted.  It  is  useful,  however,  because  it  provides 
the  rogue  program  with  a  vehicle  to  propagate  to  other 
programs . 

3.  The  mover  component  is  also  optional.  It  moves 
data  which  the  rogue  program  has  replaced  so  that  the 
program  may  still  execute  normally.  The  mover  component 
is  used  with  nonoverwriting  rogue  programs,  which  will  be 
discussed  in  section  2.1.4. 
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4.  The  status  component  Is  also  optional  and  contains  a 
status  flag  that  prevents  multiple  reinfections.  The 
status  flag,  which  can  be  a  single  bit,  Indicates  whether 
the  program  has  already  been  Infected  and  stops  multiple 
Infections  of  a  single  file.  The  status  component  will 
not  reinfect  an  already  infected  file  because 
reinfections  Increase  the  file  size  making  the  rogue 
program  susceptible  to  detection. 

For  the  above  structure  to  be  viable,  the  rogue  program  must 
have  read  and  write  privileges  as  well  as  a  means  to  determine 
which  programs  are  present.  The  operating  system  already 
.  contains  the  required  mechanisms  for  the  rogue  program  to 
accomplish  its  purpose.  For  example,  all  operating  systems 
provide  basic  functions  such  as  the  COPY,  ERASE,  TYPE,  DIR, 
PRINT,  ATTRIBXn'E  and  PROMPT  commands  to  manage  files  and 
programs.  Moreover,  on  DOS  systems,  all  users  can  have  access 
to  the  Basic  Input  Output  System  (BIOS)  and  DOS  services  via 
software  interrupts*  . 
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2.1.4  Rogu«  ProgrftB  Attmok  Maohaniama 

Rogue  programs  are  either  over%frltlng  or  nonoverwriting  rogue 
programs . 


Overwriting  rogue  programs  write  over  the  host  program's  code, 
destroying  all  or  part  of  It  (rigure  i) .  The  host  program  may 
not  properly  execute  after  infection. 


rigura  l.  Overwriting  .CON  File  Infeotor 
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llonovttrirriting  rogue  programs  substitute  the  host  program's 
code  with  their  own.  In  this  case,  the  host  program's  code 
can  be  partially  or  wholly  relocated  (rigure  2)/  and  the  host 
program  should  continue  to  function  properly. 


Viguro  2.  Monovervrlting  .COM  rile 
lafeotor 


Although  overwriting  rogue  programs  are  destructive,  they  are 
perhaps  the  easiest  to  design  and  detect*^.  These  rogue 
programs  generally  overwrite  a  number  of  bytes  of  an 
executable  file  so  that  users  cannot  recover  the  file.  Since 
the  rogue  program  overwrites  a  portion  of  the  host  program, 
the  mover  component  is  not  required.  The  following  sequence 
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of  diagrams  illustrate  the  operational  aspects  of  such  a  rogue 
program** . 

First,  assuming  that  a  program  (carrier^  is  already  infected, 
the  diagram  below  displays  the  infected  program  and  two  other 
programs  which  are  not  yet  infected: 

Rogue  Program  Coder 


Hninfected  User  Program  li 

User  Program  i 

uninfected  User  Program  2i 

User  Program  2 

When  the  infected  program  is  executed,  the  infector  component 
attempts  to  infect  another  program.  Once  it  locates  an 
executable  program,  in  this  case.  User  Program  1,  it  checks 
the  status  component,  to  determine  if  it  is  already  infected. 
If  the  flag  indicates  that  it  is  not  infected,  then  User 
Program  1  is  targeted  for  infection  and  the  rogue  code 
overwrites  the  initial  bytes  in  User  Program  1.  The  files  now 
appear  as: 
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At  the  conclusion  of  the  infection  process,  the  infector 
component  may  trigger  a  damaging  function.  Execution  then 
returns  to  the  carrier  program  so  that  the  program  looks 
normal  to  users  and  they  will  remain  unaware  of  the  intrusion. 


The  infection  of  User  Program  2  follows  the  same  sequence; 
therefore,  its  infected  structure  looks  like  Infected  User 
Program  I's  structure: 


Such  an  infected  program  will  probably  malfunction  because  the 
rogue  program  has  over%n:itten  some  of  its  code.  The  405 
virus,  which  affects  COH  files  is  an  example  of  such  a  rogue 
program*®.  The  virus  over%nrite8  the.  firet  405  bytes  of  the 
victim  file,  and  if  the  victim  file  is  shorter  than  405  bytes, 
the  virus  increases  the  file  to  405  bytes. 


Noneverwriting  rogue  programs  are  the  most  common*®.  The 
terminology,  however,  is  deceiving.  Although  its  title 
implies  nondestructive  behavior,  this  type  of  rogue  program 
can  be  more  destructive  than  damaging  overwriting  programs 
because  the  overwriting  programs  generally  cause  errors 
immediately  with  Infected  executables,  and  nonoverwriting 
programs  can  be  present  and  active  within  a  system  for  long 
periods  of  time  without  being  detected.  Nonoverwriting  rogue 
programs  have  a  design  similar  to  their  overwriting 
counterparts;  their  structure  differs  only  by  the  mover 
component,  which  is  the  mechanism  by  which  the  rogue  code  is 
copied  to  the  victim  file.  This  type  of  rogue  program  adds 
code  to  the  host  program  either  by  increasing  the  file's  size 
or  by  exploiting  unused  space. 
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An  intruder  has  many  techniques  to  insert  a  nonoverwriting 
rogue  code  into  a  host  program.  Assuming  that  a  program 
(carrier^  is  already  infected,  one  such  technique  operates  as 
follows: 


Inf actor I  Carrier  I  Mover U  Status 


User  Program  1 


If  a  carrier  program  is  infected,  the  infector  component 
attempts  to  infect  User  Program  1.  It  first  checks  the 
status  component  to  determine  if  it  is  already  infected.  If 
the  flag  is  not  present,  the  infector  component  targets  User 
Program  1  by  selecting  an  area  at  the  very  beginning  of  the 
program  which  is  the  same  length  as  the  rogue  code  as 
illustrated  below: 


User 


Program  1 


l<---  za;nja.eod«'lMgtli  ••>l 


Here,  the  rogue-code-length  is  the  sum  of  the  lengths  of  the 
infector .  mover  and  status  components.  The  rogue  program  then 


activates  the  mover  component  to  append  that  specific  rogue- 
code  -length  area  to  the  end  of  the  program,  thereby  preserving 
the  original  portion  of  the  User  Program  I's  code.  The  mover 
component  then  appends  itself  to  the  end  of  the  user  program. 


User 


Program  1 


User 


I  Togua-coda-langth  I 


I 

I  logua-coda-laagtli 


I 

I 


The  initial  rogue-code-length  bytes  in  the  host  program  are 
then  overwritten  with  the  rogue  code.  The  rogue  program 
triggers  its  preprogrammed  function,  and  returns  execution  to 
the  carrier  program.  The  newly  infected  program  is  now  itself 
a  carrier  program.  The  rogue  program  does  not  manifest  any 
activity  until  the  newly  infected  program  is  executed.  The 
status  of  User  Program  1  is  now  the  following: 


The  original  beginning  of  User  Program  1  has  been  retained,  so 
the  host  program  can  still  execute  properly.  Once  the 
infected  User  Program  1  executes,  the  routine  begins  again. 
The  rogue  program: 

1.  seeks  an  area  in  the  beginning  of  User  Program  2, 
activates  mover  to  copy  that  section. 


26 


2.  appends  itself  to  the  space  provided, 

activates  the  task  portion  of  the  infector  component  to 
execvite  the  preprogrammed  task,  and 

4.  tries  to  infect  the  next  user  program,  and  remains 
dormant  until  the  program  is  executed. 

Although  User  Program  1  is  infected,  after  the  rogue  program 
code  performs  its  function,  the  program  continues  to  function 
normally,  making  detection  nearly  impossible  unless  the  user 
notices  that  the  file  size  has  increased. 

This  scenario  has  many  variations.  For  example,  a  rogue 
program  can  place  only  part  of  the  rogue  code  in  the  beginning 
of  the  host  program  and  append  the  rest  to  the  end.  The  rogue 
code  can  place  its  code  anywhere  in  the  host  program,  although 
placing  it  in  areas  other  than  the  beginning  and  end  is  more 
difficult. 


27 


2.2  Computer  Hstworks 

Comput«r  Networks  generally  use  some  type  of  cable  for  their 
cosoDunlcatlon  nedla.  Citations*^'**'**  adequately  define  and 
discuss  networks.  They  can  be  configured  as  LANs,  Metropolitan 
Area  Networks  (MANs)  or  Wide  Area  Networks  (WANs)**'”. 
Networks  provide  resource  sharing  and  Interconnection.  They 
must  also  ensure  data  Integrity,  secrecy,  and  service 
availability**.  Networks  provide  data  integrity  when  they 
protect  data  from  unauthorized  destruction  or  modification. 
They  provide  data  secrecy  when  they  protect  data  from 
unauthorized  disclosure,  and  they  provide  service  availability 
when  they  protect  the  system  deliberate  performance 
degradation.  Therefore,  to  ensure  integrity,  secrecy  and 
service  availability,  only  the  authorized  users  can  access  the 
network  and  data  processing  must  be  protected  within  the 
system** . 

2.2.1  Network  Aooess 

Unlike  many  stand-alone  systems,  networks  generally  use  some 
form  of  access  control  such  as  identification  and 
authentication.  These  controls  ensure  that  only  authorized 
users  have  access  to  the  system  or  system  information.  While 
passwords  are  the  oldest  and  perhaps  the  most  familiar 
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personal  identifiers,  other  techniques  such  as  biometrics’*  and 
smartcards”  are  available. 


2.2.2  Hetvork  flyatem  Prooesslag  and  Pulaerabilltlea 
Incorporating  security  into  the  operating  syatea  is  one  way  to 
protect  data  processing.  Operating  systems  generally  provide 
several  security  related  functions’*  which  are  generally 
located  in  the  operating  system  kernel*”  where  they  monitor 
and  protect  all  operating  system  accesses  and  functions. 

Some  network  operating  systems  vulnerabilities  or  functions 
vulnerable  to  rogue  program  attack  include’* 

1.  I/O  processing  weaknesses, 

2.  access  policy  ambiguity,  and 

3.  readily  available  commercial-off-the-shelf  (COTS) 
programs  are  vulnerable  because  there  are  many  of 
these  and  so  many  people  use  them. 

I/O  processing  becomes  vulnerable  when,  in  the  interest  of 
fast  data  transfer,  the  operating  system  bypasses  the 
particular  functions  protection  features. 


The  operating  system  kernel  performs  the  operating 
system  low-level  funotione. 
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Th«  computer  industry  has  found  it  difficult  to  establish  a 
fixed,  all  encompassing  network  access  policy  because  of 
problems  with  accurately  defining  the  difference  between 
isolating  users  and  allowing  them  to  implement  the  security 
kernel.  It  is  important  to  separate  users  to  protect  their 
data,  but,  it  is  just  as  important  to  provide  them  access  to 
data  to  do  their  job,  such  as  shared  access  to  libraries, 
utility  programs,  and  common  application  data. 

People  implementing  operating  systems  accommodate  COTS 
packages  by  using  "hooks**  to  install  these  packages.  Any  user 
can  find  these  hooks  and  use  them  as  trapdoors*  to  access  and 
infiltrate  the  system. 

Network  operating  systems  can  provide  security  and  controls 
for  all  programs  that  run  in  its  environment,  but  their  size 
and  complexity  make  it  difficult  to  protect  them. 

Other  functions  vulnerable  to  rogue  program  attack  for 
networks  can  include: 

1.  Accessibility.  Networks  are  easily  accessible,  since 
there  are  so  many  computers  interconnected;  there  are 

*  A  trapdoor  is  a  secret  access  to  a  software  program  for 
debugging  and  developing  functions. 
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nultiple  points  of  attack.  The  level  of  security  at  any 
node  Is  dependent  entirely  on  whatever  security  measures 
(if  any)  are  in  place  at  that  particular  node. 

2.  Resource  sharing.  Generally,  if  one  computer  in  a 
network  is  infected,  other  computers  are  also  infected. 

3.  Routing  paths.  Users  can  seldom  control  the  routing 
of  their  messages. 

4.  Unknown  nodes.  As  networks  continue  to  proliferate, 
security  measures  at  the  new  nodes  will  become  more  and 
more  unreliable. 

2.3  Use  of  Wireless  LAMs 

An  alternative  technology  to  "cable^bound**  LANs  is  the 
wireless  lam.  wireless  LANs  free  people  from  the  hardware 
location  restrictions  as  well  as  to  managing  and  maintaining 
miles  of  wires  that  connect  workstations.  Wireless  LANs 
provide  hardware  mobility  and  flexibility  -  essential 
requirements  in  our  highly  mobile  society.  Managers  can 
configure  networks  to  transmit  data  via  RF  transmissions. 
Currently  eight  companies”'*®'*^'”***'**'**’**  produce  wireless  LANs. 


rigvr*  3*  lists  these  companies 
with  their  specifications: 
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Figure  3.  Wireless  LANs  end  Speoifioetions 


*  1.  NCR  Wireless  LAN  system  (wavslan) ;  a.  Motorola's 
wireless  LAN  Network  (Altair);  3.  O'Neill's  Coaaunioatlons ' 
Local  Area  Wireless  Network  (LAWN);  4.  Proxim  Ino.'s  ProxNot 
(alias  RaageLAN) ;  5.  Telesystems  8LW  Zao.  's  ARLAN  600  Wireless 
Network  System;  6.  California  Microwave  Zno.'s  RadioLink 
Network;  7.  Black  Box  Corporation's  BsstLAN;  8.  IBM's  Wireless 
LAN  (TBA) . 
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other  companies*'',  such  as  BICC  Communications  of  Auburn, 
Massachusetts,  and  Photonics  Systems  Inc.  of  Northwood,  Ohio, 
manufacture  wireless  LANs  that  use  infrared  rather  than  RF 
transmission  techniques.  Infrared  LANs  use  basically  the  same 
technology  as  remote-control  units  for  television,  VCR  or 
stereo  which  employ  the  light  spectrxam  to  transmit  data 
between  nodes.  Infrared  transmission  uses  a  much  higher  data 
rate  than  its  RF  counterpart,  and  unlike  RF  wireless  LANs,  is 
immune  to  radio  interference. 

Unlike  RF  systems,  an  infrared  system  requires  that  its  units 
be  in  direct  line  of  sight  with  each  other;  signals  cannot  be 
transmitted  through  physical  barriers,  such  as  walls  and 
furniture . 

Wireless  LANs,  unlike  conventional  LANs,  are  more  vulnerable 
to  rogue  program  infection  because  with  enough  resources  and 
time,  intruders  can  scan  radio  waves  and  intercept,  analyze 
and  possibly  decode  and  retransmit  data  into  the  communication 
medium.  Although  some  hosts  use  wireless  LAN  modules  that  use 
spread  spectrum*  technology  which  makes  it  difficult  to 
intercept  data  between  hosts,  all  an  Intruder  needs  to  do  is 


Spread  spectrum  radio  traasmissioas  distribute  the 
transmitted  data  across  multiple  frequencies. 
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to  use  one  of  eight  available  modules  so  le  does  not  have  to 
break  any  code;  the  correct  module  does  Ir  for  him. 

Computer,  operating  system,  network  standardization,  increased 
use  of  distributed  systems,  and  computer  connectivity  enhance 
the  viability  of  attacking  wireless  LANs.  All  an  intruder 
needs  is  a  complete  description  of  the  transmission 
frequencies,  modulation,  synchronization  and  coding  function 
(as  discussed  In  the  next  chapter) . 

Using  RF  to  communicate  among  computers  is  not  new.  For 
example,  the  world's  first  computer  system  to  utilize  ground 
based  radio  packet  broadcasting  for  its  communication  facility 
was  the  ALOHANEl'  system  at  the  University  of  Hawaii  in  1970. 
Another  example  of  using  RF  technology  to  communicate  is  the 
Captain  Midnight  Escapades  of  1986.  The  following  subsections 
discuss  the  these  similar  technologies. 


2.3.1  The  ALOHANBT 

The  ALOHANET  (Figure  4**)  used  packet  broadcasting  via  radio 
to  give  seven  campuses  on  four  islands  access  to  a  central 
computer  in  Oahu.  Each  campus  communicated  with  the  central 
computer  by  using  an  FM  radio  transceiver  whose  power  was 
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boosted  with  powerful  repeaters.  Two  distinct  100  Khz 
channels  were  einployed:  an  Inbound  random  access  channel, 
since  the  probability  of  contention  was  high,  and  an  outbound 
broadcasting  channel,  since  contention  was  minimal.  There 
were  no  direct  station  to  station  communications*’.  The 
ALOHANET  became  defunct  in  1979  when  a  wire-based  LAN  cable 
was  Installed. 


rigure  4.  Schematic  of  the  ALOHANET 
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2.3.2  Captain  Midnight  Bsoapadas 

The  Captain  Midnight  Escapades  also  used  RF  technology. 
Shortly  after  midnight  in  April  and  June  1986,  a  disgruntled 
satellite  dish  user  and  non-Home  Box  Office  (HBO)  cable 
subscriber  preempted  HBO  with  the  following  message  decrying 
scrambling: 

"Good  Evening  HBO  from  Captain  Midnight. 
$12.95?  No  May!  Showtime/The  Movie  Channel 
Beware ! " 

Captain  Midnight  used  a  transponder  at  the  Central  Florida 
Teleport  Co.,  where  he  worked,  in  Ocala,  Florida.  The 
transponder  consisted  of  s.  10  meter  satellite  dish  with  2000 
watts  of  RF  power.  It  was  sufficient  to  overpower  the  HBO 
signal,  much  to  the  dismay  of  the  cable  company,  but  to  the 
delight  of  many  satellite  dish  owners  throughout  the  country'’’. 

2.4  Trends  That  Increase  The  Feasibility  of  Inserting 
Rogue  Code  Remotely 

The  evolution,  development  and  proliferation  of  computing 
networks  have  significantly  enhanced  system  vulnerabilities  to 
rogue  program  attacks.  Operating  system  and  computer 
standardization,  expanded  use  of  distributed  systems,  network 


connectivity,  and  wireless  LAHs  have  all  Increased  the 
viability  of  successful  rogue  program  Intrusion. 

2.4 cl  Operating  Syatens  and  Computer  Standardisation 
Operating  systems,  because  they  are  standardized. 

Interoperable,  transportable,  and  form  a  common  platform  have 
become  a  major  target  for  rogue  program  attacks.  Operating 
systems  vulnerabilities  are  well  known.  Journals^S  books^^, 
and  periodicals'’^*''*  delineate  ways  to  identify  such 

vulnerabilities  systematically.  Pigure  S  enumerates  some 
operating  system  components  vulnerable  to  rogue  program 
attacks . 
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Opvrattag-BYittBf 

UNIX 

Map.int.9Sh 

Vulnerable  to  Attack 

File  Structure 

Files/ 

Directories 

Same 

Same 

(Finder) 

System  Functions 

DOS  Functions 

Kernel 

Resources 

(Code,CDEV, 

Patch) 

Boot-up 

Sequence 

Boot-up  Seq 

Same 

Init 

Resource 

Command 

Interpreter 

command.com 

Shell  System  File 

Toolbox 

Hidden  Files 

I/O. SYS 

MSDOS . SYS 

NA 

Desktop 

File 

Telecommunication 

NA  System  Network  NA 

Utilities  (i.e., 
mail  forwarding, 
authorized  access, 
trusted  host  files) 

Flgur*  s.  8uso«ptibilltY  of  Qporating  SystuiB 


In  addition,  books  such  as  Mark  Ludwig's  The  Little  Black  Book 
of  Computer  Viruses^*  teaches  the  basics  of  writing  rogue 
programs,  complete  with  examples. 
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To  promote  interoperability  and  transportability  and  to 
control  acquisition  and  support  costs,  standard  commercial 
off-the-shelf  (COTS)  hardware  and  software  systems  that  meet 
national  or  international  standards  are  becoming  more  popular^* 
than  customized  hardware  and  software.  Using  COTS  saves  money 
and  reduces  the  logistical  support  needed  to  maintain 
software.  Because  the  ratio  of  CPU  performance  to  price 
doubles  every  year,  it  is  not  cost-effective  to  develop 
hardware  or  software  from  scratch,  which  can  require  up  to  ten 
years  to  develop  and  deploy''"’. 

Users  must  be  able  to  deploy  systems  rapidly  and  have  access 
to  portable  software  to  adapt  quicXly  to  standardization 
hardware.  Hardware  standardization  includes  fixed  and  floppy 
drives,  controllers,  chips,  boards,  power  sources,  video  cards 
and  monitors,  CPU,  and  many  peripherals.  Software 
standardization  packages  include  WordPerfect,  Dbase,  Lotus 
123,  Harvard  Graphics,  plus  other  management  and  decision- 
oriented  software  packages. 

Al'  the  features  which  make  COTS  hardware  and  software  so 
appealing  are  the  same  features  that  make  these  systems 
vulnerable  to  rogue  code  attack.  COTS  products  include  a  rich 
spa"  set  of  functions  such  as  computer  architecture 


benchmarks,  routines,  and  protocols  to  provide  the  maxlmvim 
flexibility  and  functionality.  But  because  they  are  so 
flexible,  intruders,  if  they  can  detect  a  flaw  in  any  of  these 
functions,  can  access  all  network  nodes. 

2.4.2  Distributed  Systems  Stenderdisetion 

The  computing  community  including  government  and  corporate 
services,  banking  institutions,  airlines,  and  military 
services,  nationwide  department  stores,  and  computer  stores 
widely  employ  distributed  systems.  Corporations  are 
increasing  their  use  of  distributed  processing  because 
standards  organizations  such  as  the  Open  Software  Foundation 
(OSF) ,  the  International  Standards  Organization  (ISO),  and 
Consultative  Committee  on  International  Telegraph  and 
Telephone  (CCITT)  are  endorsing  it. 

OSF,  a  consortixim  founded  by  Hewlett-Packard,  IBH,  and  Digital 
Equipment  Corp,  announced  the  components  of  a  Distributed 
Computing  Environment  (DCE)  in  May  1990.  This  environment 
allows  users  to  run  distributed  processing  applications  across 
a  network  to  allocate  the  processing  power  of  the 
networkdynamically.  The  consortium  released  the  preliminary 
version  of  the  OSF-Distributed-Computing-Environment  technolo- 
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gy  in  isgi""*. 


The  ISO,  including  const ituents  of  the  national  standards 
organizations  in  the  member  countries,  deals  with 
international  standardization  of  various  protocols.  CCIT7, 
consisting  of  national,  public  and  private  telecommunication 
administrations,  is  primarily  concerned  with  telephone  and 
data  communications  systems.  The  ISO  and  CCITT  are  both 
standardizing  a  framework  for  structuring  distributed 
applications.  ISO  is  expected  to  release  the  Open  Distributed 
Processing  (ODP)  Draft  International  Standard  which  addresses 
distributed  applications  in  1995''*. 

The  "Big  Three"  software  companies,  Lotus  Development, 
Microsoft,  and  WordPerfect,  are  competing  for  developers  and 
customers  to  use  their  own  distributed  architectures.  Each 
architectural  design  is  centered  around  computer  systems  and 
interconnectivity,  application  integration,  advanced 
functionality  and  common  user  interface***. 

Stand-alone  and  distributed  systems  share  some  of  the  same 
risks;  however,  distributed  system  are  far  more  vulnerable 
than  stand-alone  systems  for  the  following  reasons: 
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1.  Intruders  can  propagate  infection  easily  because 
distributed  systens  are  interconnected.  For  example,  one 
infected  machine  can  contaminate  all  the  machines 
throughout  the  communications  subsystem. 

2.  Multiple  access  points  to  the  connected  system  and 
multiple  security  mechanism  levels  for  each  host  make 
installing  rogue  code  easy.  The  more  hosts  that  there 
are,  the  greater  their  availability,  and  the  greater  the 
likelihood  of  getting  hit  with  a  rogue  code,  especially 
if  one  host  is  already  infected. 

3.  The  availability  of  a  multitude  of  other  services 
such  as  network  system  utilities  which  include  file 
transfer,  remote  job  entry,  and  sharing  of  computing 
functions  provide  a  rich  environment  for  a  rogue  program 
attack . 

4.  Because  distributed  systems  are  harder  than  stand¬ 
alone  systems  to  debug,  they  require  more  debugging 
tools.  Sometimes,  debugging  routines  bypass  security 
checks  and  thereby  enhance  the  system's  susceptibility  to 
rogue  program  attacks. 

5.  Normally,  only  a  client  host  distributes  new  or 
improved  software.  When  users  log-on,  as  in  the  case  of 
"prodigy”  updates,  the  host  automatically  downloads  files 
to  the  user's  machine'^.  Because  only  one  host  is 
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Involved,  Intruders  can  readily  determine  system 
weaknesses . 


2.4.3  Enhanced  Coi^uter  Connectivity 
Increased  computer  connectivity  is  Inherent  in  standard 
operating  systems,  networks,  and  distributed  systems.  There 
were  over  400,000  LANs  and  LAN-operating  systems  sold  in  the 
United  States  In  1992*^.  Customers  probably  purchased  these 
LANs  to  send  and  receive  electronic  mall;  however,  file 
sharing  Is  expected  to  play  a  progressively  more  Important 
Influence,  especially  with  client/server  networking*. 
Therefore,  because  of  connectivity,  the  whole  world  may  be 
able  to  access  your  electronic  door. 

2.5  Summary 

This  chapter  described  rogue  program  characteristics, 
discussed  computer  networks'  susceptibility  to  rogue  code 
attack,  and  the  use  of  wireless  LANs,  trends  that  increase  the 
feasibility  of  remotely  Inserting  rogue  code  by  RF  and  how 
rogue  programs  Infect  wireless  LANs.  Chapter  3  uses  this 


*  The  ooi^uti&g  system  that  used  to  run  on  a  single 
Mohine  is  now  a  distributed  system  spread  across  multiple 
computers »  technologies#  geographies#  and  organisational 
functions. 
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knowlttdge  of  rogue  programs  to  develop  an  abstract  model  of 
the  rogue  code  insertion  process  into  a  communication  data 
stream  to  a  targeted  host  via  radio  frequency.  Chapter  4 
instantiates  the  abstract  model  developed  in  chapter  3  on  a 
DOS-based  system. 
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Chftptsr  3  ItnOTILT  XMinTXMO  ftOOUB  CODI  INTO 

A  WXRBLMf  ZAM  UaXMQ  AADIO  niQUIKCy 

3.1  Xntroduotiob 

In  Chapter  the  purpose  of  the  dissertation  was  discussed. 
In  Chapter  2 ,  characteristics  of  rogue  prograns  were 
delineated  (what  they  were,  how  they  were  structured  and  how 
they  functioned) ,  networks  discussed,  and  the  concept  of 
wireless  LANs  Introduced.  This  chapter  develops  an  abstract 
model  of  the  rogue  code  insertion  process  into  a  targeted 
(networked)  wireless  communications  system  using  Radio 
Frequency  (RF)  atmospheric  signal  transmission. 

The  first  three  sections  provide  background  information  and 
the  reasons  for  developing  an  abstract  model.  Section  4 
discusses  the  abstract  model.  The  model  is  general  enough  to 
apply  to  widely  used  target  environments  such  as  UNIX, 
Macintosh  and  DOS  operating  systems.  In  Chapter  4,  a  DOS- 
based  model  is  used  to  demonstrate  the  feasibility  of  actually 
inserting  rogue  code  to  a  targeted  host  via  RF. 

This  chapter  has  five  sections:  an  introduction  (3.1); 
background  (3.2);  reason  for  the  model  and  its  attack 
mechanisms  (3.3);  model  development  (3.4),  and  summary  (3.5). 
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3.2  Background 

Rogue  codes  can  rapidly  spread  throughout  target  computer 
networks*^  which  are  vulnerable  to  rogue  code  attacks.  The 
magnitude  of  thn  damage  depends  on  the  intruder's  intent  and 
the  system's  safeguards  against  infection.  In  October  1989, 
Cramer  and  Pratt's  "Computer  Virus  Countermeasures  -  A  New 
Type  of  Electronic  Warfare,"  discussed  for  the  first  time 
applying  computer  rogue  program  techniques  to  electronic 
warfare**'*^.  This  dissertation  is  the  first  to  develop  a 
generic  model  to  model  the  insertion  of  rogue  code  into  a 
targeted  system  and  instantiate  it  on  a  DOS-based  sys;tem. 


3.3  Attack  Ocala 

We  have  so  far  discussed  similar  technologies  to  use  RF  to 
effect  computer  communications.  The  following  subsections 
discuss  the  motivation  to  develop  a  general  model  of  the  rogue 
code  insertion  process,  rogue  code  insertion  procedures  and 
verifying  insertion  success. 


3.3.1  Motivation  to  Develop  an  Abstract  Model 

The  reason  to  develop  an  abstract  model  is  to  show  how  easy  it 

can  be  to  insert  rogue  code  into  a  targeted  host  via  RF.  The 
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purpose  of  inserting  rogue  code  into  a  targeted  host  can 
include  a  variety  of  covert  goals  including  disrupting, 
degrading  or  exploiting  the  targeted  host^'s  operational 
capabilities  to  function  properly.  The  main  components  of  the 
model  at  a  conceptual  level  shotm  in  rigure  6  are  the 
intruder,  the  attack  mechanism  and  the  targeted  host. 


HsimiGMnkf 


figure  6.  Conceptual  Model 


To  affect  a  targeted  host's  operations  adversely,  the 
intruder's  program  must  Insert,  modify  or  delete  the  host's 
control  messages.  Such  manipulations  can  among  other  things 
cause  the  routing  algorithm  to  select  suboptimal  routing. 


Distributed  system  nodes  can  be  highly  vulnerable  to  false 
systeia  control  messages,  either  from  communications  errors  or 
from  a  deliberate  attack.  For  example,  the  internet  is 
vulnerable  to  false  control  messages  being  inserted  either  on 
interswitch  communication  lines  or  from  one  of  the  switches 
themselves  [switches  are  the  network's  connection 
mechanisms ]'* .  Flooding  the  network  with  a  continuous  stream 

t 

of  bogus  messages  can  significantly  increase  processing  time 
and  hence  disrupt  or  degrade  the  system's  operations.  Packet 
communications  are  very  vulnerable  to  a  variety  of  fraudulent 
message  and  message  alteration  attacks  because  packets  can  be 
generated  that  appear  to  have  come  from  another  source. 
Packets  can  be  captured,  modified  and  reinserted  into  a 
network  without  the  bonafide  hosts  knowing  it. 

Other  typical  approaches  to  disrupting  or  degrading  a  targeted 
host's  operations  include  forcing  a  system  crash,  destroying 
data,  or  inserting  delays  in  real  time  systems.  An  intruder 
can  easily  cause  a  system  crash  by  modifying  a  program  which 
executes  automatically  during  the  booting  procedure  such  as 
COMHAND.COM  for  DOS-based  machines.  Destroying  data  is 
another  way  of  disrupting  or  degrading  the  system.  An 
intruder  can  destroy  data  by  overwriting  or  erasing  the  data 
or  by  changing  the  pointers  to  that  data.  For  example,  the 
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intruder  could  change  the  pointers  on  a  DOS-based  machine  by 
modifying  the  FAT.  Me  can  alter  data  either  en  masse  or 
piecemeal,  depending  on  his  goals.  He  can  also  disrupt  or 
degrade  data  by  mrltlng  a  rogue  program  that  delays  packets. 
Disruption  and  degradation  attacks  can  be  referred  to  as 
denial  of  service  attacks  because  they  are  intended  to  reduce 
the  communication  channel's  information  carrying  capacity. 

Intruders  can  use  passive  measures  in  addition  to  active 
measures  to  gain  valuable  information  from  a  targeted  host 
such  as  revealing  the  host's  system  resources,  such  as 
configuration  and  data  and  system  files,  and  addresses  and 
listings  of  trusted  hosts  to  which  they  are  connected.  The 
intruder  can  exploit  this  Information  at  the  time  of  the 
attack  or  at  a  later  date. 

3.3.2  Attack  Method 

The  following  "Attack  Process  Events  Time  Line"  provides  the 
guidelines  (Figure  7)  for  examining  the  attack  process: 
"Attack  Process  Events  Time  Line" 

1.  Determine  Possible  Target  Hosts 

2 .  Probe  Target  Characteristics 

3.  Build  A  Rogue  Program 

4.  Task  the  Rogue  Program 

5.  Rogue  Program  Executes  Task  at  Predetermined  Time. 
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Figure  7.  Attack  Ti««  Line 

First,  the  intruder  must  list  targeted  hosts.  Then,  he  must 
probe  system  characteristics  and  resources  to  determine  if  the 
attack  against  a  specific  host  is  viable.  If  attacking  a 
specific  host  is  not  viable,  he  will  continue  to  attack  other 
hosts  until  he  is  successful.  Once  he  is  successful,  he  must 
determine  his  goals.  If  his  goals  are  feasible,  the  intruder 
will  build  the  rogue  program  code  and  infect  the  system  with 
it.  If  the  goals  are  not  feasible,  he  can  modify  them. 
Depending  on  the  intruder's  goal,  the  rogue  program  can  lie 
dormant  for  future  execution  or  be  executed  immediately. 
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3.3.3  Vftrlfylng  th*  Suooms  of  Roguo  Cod*  Sxooution 

Intruders  must  give  serious  consideration  to  detemlning  if 
the  roguo  code  is  in  control.  For  example «  an  Intruder  might 
build  a  signal  into  the  program  that  would  respond 
automatically  or  upon  request  to  verify  that  the  injected  code 
is  operational.  The  rogue  program  may  send  such  a  signal, 
which  would  require  a  very  small  bandwidth  via  covert  channels 
so  that  the  host  system  could  not  detect  the  signal  and  the 
infection.  However,  such  a  strategy  would  promote 
cpportunitlos  for  detection  by  the  targeted  host.  Depending 
on  the  situation,  it  may  be  worth  the  risk  of  exposure  to 
obtain  confirmation. 

Another  option  available  to  the  attacker  to  ensure  that  the 
rogue  program  is  actually  doing  what  it  was  designed  to  do  is 
to  conduct  covert  or  overt  testing  upon  Infection  or 
periodically  after  Infection. 

Covert  or  overt  testing  can  be  conducted  with  a  system  similar 
to  the  targeted  hosts'  system  in  a  controlled  environment 
established  by  the  attacker.  The  authenticity  of  such  a 
system  would  depend  on  how  much  information  was  available  on 
the  targeted  system  this  "analogous  parallel"  system  may 
consist  of  an  abbreviated  or  an  exact  version  of  the  targeted 
host.  Although  intruders  can  verify  that  they  have  infected 
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the  host  with  the  rogue  code  they  can  not  predict  how  the 
rogue  code  will  affect  the  host,  because  they  do  not  have  full 
knowledge  of  software,  special  hardware,  or  firmware.  In 
shjprt,  there  does  not  appear  to  be  an  adequate  feedback 
mechanism  to  determine  the  operational  status  of  such  rogue 
programs  or  to  control  them  once  they  are  executed. 

3.4  An  Abstract  Model  -  Overview 

The  abstract  model  has  three  components:  required  parameters,  * 

defense  measures,  and  ti^e  a  cost  benefit  analysis.  Figyre  s 
pictorializes  the  abstract  model. 


V 
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rigur«  l.  The  Abstract  Modal 


3.4.1  Paraastars  and  Raquiramaats 

To  develop  an  abstract  model  it  Is  first  necessary  to  Identify 
the  parameters  and  requirements  that  exist  within  a  system. 
Within  the  context  of  a  network /  the  key  parameters  to  be 
considered  are  the  targeted  network's  communications  channel 
in  order  to  format  the  rogue  code  properly  so  that  the 


receiving  host  would  accept  It  and  how  the  target  host 
processed  the  data  it  received  from  a  communications  link 
including  the  target  host's  protocols  and  applications. 

4 

3. 4. 1.1  coamunioatious  Channel 

A  network  may  consist  of  a  series  of  homogeneous  or 
heterogeneous  computers  connected  in  a  local  area  network 
(LAN)  or  in  a  wide  area  network  (NAN) .  The  communication  over 

4' 

connecting  transmission  media  is  accomplished  using  complex 
protocols.  Protocols  are  designed  as  a  neries  of  dependent 
layer^.^  to  attenuate  their  complexity.  While  the  topology  of 
these  layers  may  differ  for  different  networks,  the 
characteristics  are  basically  the  same. 

The  International  Organization  for  Standardization  (ISO)  has 
proposed  the  Reference  Model  of  Open  Syatoms  interoonneotion 
(081),  as  a  first  step  toward  internationally  standardizing 
the  various  protocols.  The  180  081  reference  model,  commonly 
known  as  081*^,  has  seven  layers,  each  one  built  on  the 
previous  layer;  each  with  its  own  specific  function  (see 
Tlgure  9) . 
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A  sender  initiates  Kessage  transnission  at  layer  7  with  an 
application  program.  Message  transmission  traverses  the 
interdependent  layers  down  to  layer  1,  the  physical  layer, 
which  is  concerned  with  transmitting  specifically  formatted, 
individual  bits  over  a  communication  channel  to  the  physical 
layer  at  the  receiver. 
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While  the  above  series  of  layers  simplify  the  protocol,  they 
also  introduce  more  opportunity  for  rogue  code  programmers  to 
penetrate  systems  especially  since  networks  were  not  designed 
with  security  as  a  high  priority.  See  Vigure  10  for  OSI 
vulnerabilities . 
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3.4. 1.2  Datft  8tr«ut  CoiiforMtlo& 

The  Injected  rogue  code  must  be  formatted  properly  for  the 
targeted  host  to  interpret  it  as  normal  network  data.  The  ISO 
OSI  model  follows  this  message  transmission  format: 


II  is  the  Network  Header  >  Routing 
T  is  the  Transport  Header  -  Priority 
8  is  the  Session  Header  -  Synchronization 
K  is  the  Message 

■  is  the  Data  Link  Trailer  -  Error  Correction 

The  intruder  must  also  know  the  following  parameters  to  be 
able  to  insert  the  rogue  code  into  the  data  stream 
effectively: 

1.  transmission  frequency 

2 .  synchronization 

3.  coding  characteristics. 

We  describe  these  now. 


3. 4. 1.2.1  Transmission  rrequenoy 

Transmission  frequencies  vary  from  300  bits  per  second  to  2 
Mbps.  The  intruder  must  know  this  frequency,  which  determines 
the  message  transmission  rate,  to  insert  rogue  code  into  a 
data  stream. 
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3. 4. 1.2. 2  8yiiohronii«d  Conuaioatlen 

Communication  is  synchronized  when  the  data  characters  and 
bits  are  transmitted  and  the  sending  and  receiving  hosts  are 
synchronized.  For  example,  when  one  interface  message  process 
(IMP)  wants  to  send  a  frame  to  another  IMP,  it  sets  the  frame 
in  a  memory  buffer  and  then  starts  the  transmission  hardware. 
Before  sending  the  first  character  in  the  buffer,  the 
transmission  hardware  sends  a  synchronizing  signal  defining 
the  start  of  the  frame.  After  the  message  is  transmitted, 
another  synchronizing  signal  is  sent  to  define  that  the 
process  is  completed.  There  is  a  finite  amount  of  time 
allotted  for  specific  packets  to  be  transmitted  and 
acknowledged.  Synchronization  signals  also  define  the  time 
period  that  a  sending  host  will  wait  until  a  packet  is  resent 
if  no  acknowledgement  is  received,  such  signals  define  delays 
among  hosts  as  well.  Therefore,  to  inject  rogue  code  into  a 
data  network  successfully,  the  intruder  has  to  know  the 
synchronization  signals. 

3. 4. 1.2. 3  Coding  Cbaraoteristios 

Coding  characteristics  include  transfer  modes,  such  as  ASCII 
and  octet,  packet  size,  and  other  structural  parameters.  The 
intruder  must  know  these  characteristics  to  make  the  rogue 
code  look  like  the  code  it  is  replacing;  otherwise  the 
receiving  host  will  reject  it. 
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3 . 4 . 1 . 3  COA*  QM«ration 

Unlike  standard  methods  of  Inserting  rogue  code  into  target 
systems  where  code  size  is  not  critical,  the  rogue  code  to  be 
inserted  via  RF  should  be  small.  The  time  period  within  which 
such  code  can  be  injected  during  a  transmission  is  limited. 
Hence,  limited  insertion  time  dictates  limited  code  size.  A 
packet  size  code  of  512  bytes  or  less  would  be  optimal.  Note 
that  the  smallest  knovn  rogue  program,  the  "Define  Virus",  is 
only  30  bytes**. 

Intruders  can  compress  the  rogue  code  to  make  it  as  small  as 
possible.  After  they  inject  this  compressed  code  into  the 
targeted  data  stream,  and  the  "duped"  host  accepts  it,  it  can 
decompress  and  infect  the  targeted  host  while  remaining 
inconspicuous.  The  following  modules  help  the  reader 
understand  how  an  intruder  can  compress  rogue  code  and  infect 
computer  systems: 


Prober  Module  I  Activator  Module  R  Trigger  Module 


The  Prober  Module  ascertains  the  target  host's  specific 
characteristics  and  gives  them  to  the  Activator  Module.  The 
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Activator  Modulo  contains  the  "builder,"  which  collects  and 
analyzes  all  data  to  build  or  create  the  rogue  code,  to  create 
a  rogue  program  which  uses  the  targeted  system's  own 
resources.  The  Trigger  Module  executes  the  assigned  tasks  and 
propagates  at  will  by  using  stealth  techniques  as  discussed  in 
chapter  l  (hides,  infiltrates,  bypasses  antirogue  program 
tools  in  place) . 

The  Prober  Module  (Figure  ll)  decompresses  (if  the  code  is 
compressed)  and  initiates  its  probing  function. 


Figure  11.  Prober  Module 


The  abstract  model's  prober  is  instantiated  by  the  Internnt 
Worm's  prober  module  functions;  they  both  probe  the  targeted 
machines  in  the  network  for  information  using  system 
utilities,  public  configuration  files  and  the  target's 
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interrupt  vectors. 


If  the  probing  module  is  successful,  it  performs  the  following 
sequence : 

1.  makes  a  copy  of  the  original,  compressed  code 

2 .  stores  the  compressed  code  in  high  memory  for  DOS 
machines  or  in  another  file  for  other  platforms 

3.  "feeds"  the  information  it  has  obtained  to  the 
Activator  Module  so  that  the  Activator  Module  can 
compile  the  rogue  code 

4.  searches  for  other  viable  paths  to  propagate  the 
rogue  code  to  other  hosts. 

If  the  probing  module  successfully  performs  this  sequence,  it 
transmits  the  original,  compressed  code  to  identified  hosts 
and  deletes  its  original  copy  from  memory  or  deletes  the  file 
within  which  it  used  to  hide. 

If  the  probing  module  is  unsuccessful,  it  continues  its 
attempt  to  perform  the  sequence  with  the  exception  that  it 
does  not  feed  information  to  the  Activator  Nodule.  Each  time 
it  fails,  it  deletes  itself  from  the  particular  network  it  is 
trying  to  invade  and  keeps  trying  to  invade  targeted  networks 
until  it  is  successful. 
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The  Prober  Module  activates  the  Activator  Module  (Figure  12) 
which  consists  of  a  decompressor  unit,  a  compiler  and  groper 
units.  The  decompressor  unit  decompresses  the  compressed 
rogue  code.  The  "builder"  unit  compiles  its  code  to  build  the 
rogue  program,  and  the  groper  unit  seeks  procedural  or 
technical  vulnerabilities,  such  as  poor  passwords  which  will 
be  feed  into  the  Trigger  Module. 


Figure  12.  Activator  Nodule 


The  Trigger  Nodule  ‘'Figure  13)  executes  the  rogue  program  to 
infect  the  targeted  system.  It  uses  stealth  techniques  to 
infiltrate  the  system,  bypass  any  resident  antirogue  program 
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tools,  camouflage  Itself,  and  propagate  at  will. 


Figure  13.  Trigger  Nodule 


The  technique  of  injecting  rogue  code  into  the  target's  host 
data  stream  may  Include  creating  a  virus,  while  subsequent 
propagations  may  include  transmitting  a  worm.  Viruses  do  not 
require  network  connectivity  as  worms  do,  and  can  therefore 
access  more  machines  than  worms.  This  dissertation's  attack 
uses  a  virus  to  infiltrate  the  targeted  system.  Figure  14 
illustrates  the  Generic  Rogue  Program  Insertion  Model  and 
pictorializes  direct  and  indirect  rogue  code  attack 
mechanisms . 


Figur*  14.  Insartion  Modula 


3. 4. 1.4  Raquirad  Rcsoureas 

To  ascertain  the  required  parameters  as  discussed  above  and 
insert  rogue  code  via  RF  into  a  targeted  system,  the  model 
uses  "ham-radio"  technology.  The  following  three  hardware 
components  are  required  to  insert  i:ogue  code  into  an  RF  data 
stream: 

1.  a  computer  system 

2.  a  computer  hardware/radio  interface  system  (CHRIS) 

3 .  a  transceiver . 
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It  is  assumed  that  the  mess  age  Is  In  clear  text.  Otherwise 
the  Intruder  would  have  tc  capture  and  decrypt  the  message  to 
determine  all  parameters,  and  insert  the  rogue  code  into  the 
system. 

The  intruder  uses  commercially  available  and  inexpensive 
hardware  components  to  insert  rogue  via  RF  into  a  computer 
system  (Figure  15)  . 
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The  Computer  Hardware/Radio  Interface  System  (CHRIS) ,  Figure 
16,  the  interface  device  between  the  computer  terminal  and  RF 
transceiver,  assembles  and  disassembles  packets  and  detects 
errors.  The  transceiver  (radio)  transmits  and  receives  data. 
The  Intruder  uses  these  three  components  to  intercept  and 
download  packets  to  determine  required  parameters  such  as 
communication  protocol,  message  transmission  format, 
transmission  frequency,  synchronization,  and  coding 
characteristics.  The  intruder  can  then  replace  specified 
packets  with  rogue  code. 


Figure  16.  Computer  Hardvare/Radio  Interface 
eystem  (CHRIS) 
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RS-232  conununicatlons  ports  make  configuring  the  CHRIS  easy. 
For  example,  a  RS-232  cable  allows  the  CHRIS  to  interface  with 
the  computer  and  the  transceiver.  The  standard  RS-232C  serial 
port  consists  of  up  to  25  pins,  only  a  handful  of  which  are 
required  to  configure  the  CHRIS  (Figure  17) . 


Figure  17.  Example  Configuration 


3.4.2  D«f«ns«  MMmauTM 

While  subsection  3.4.1  developed  the  nucleus  of  the  abstract 
model,  by  determining  the  communication  protocol,  message 
transmission  format,  frequency,  synchronization,  coding 
characteristics  and  required  resources,  subsections  3.4.2  and 

3.4.3  extend  the  model.  In  subsection  3.4.2,  defensive 
measures  and  countermeasures  are  incorporated  into  the 
abstract  model  to  complete  it.  Further,  subsection  3.4.3 
addresses  whether  the  defenses  are  cost  justified. 

The  following  six  techniques  can  be  used  to  defend  against  RF- 
insertion: 

1.  cyclic  redundancy  checks  (CRCs) 

2 .  checksums 

3 .  encryption 

4 .  digital  signatures 

5.  built-in  security  controls 

6.  combinations  of  the  above 

For  purposes  of  illustration,  the  experiment  described  in  this 
dissertation  uses  CRCs  and  checksums  to  demonstrate  successful 
detection  of  rogue  code  insertion. 

The  cost-benefit  analysis,  subsection  3.4.3,  indicates  if 
using  these  protective  techniques  is  cost-justified. 
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3. 4.2.1  CRCs 


CRCs  check  the  number  of  a  file's  sequential  bytes  to  assign 
a  unique  number  for  that  file  by  treating  bits  as  a 
representation  of  a  polynomial  with  coefficients  of  0  and  1. 
For  example,  a  k-bit  message  is  regarded  as  the  coefficient 
list  for  a  polynomial  with  one  or  more  k  terms,  ranging  from 
to  x°  with  a  degree  of  k-1.  For  example,  101011 
represents  a  six  term  polynomial  with  coefficients  1,0, 1,0, 1,1 
or  To  produce  the  unique  number,  polynomial 

arithmetic  is  performed  using  modula  2,  in  accordance  to  the 
rules  of  algebraic  field  theory**.  The  three  polynomials  that 
are  currently  the  international  standards  are  CRC-12,  CRC-16, 
and  CRC-CCITT*®. 

CRCs  can  detect  unsophisticated  rogue  programs,  because  any 
change  in  the  number  of  a  file's  sequantial  bytes  produces  a 
different  CRC.  However,  sophisticated  rogue  programs*^  such 
as  those  containing  stealth  capabilities*^  can  circumvent  CRCs. 
Therefore,  a  CRC  check  alone  may  not  prevent  such  attacks. 

3. 4. 2. 2  Checksums 

A  checksum  calculation  is  the  exact  number  of  a  file's 
individual  bytes.  The  process  of  performing  a  checksum 
verifies  a  file's  integrity  prior  to  execution  by  making  sure 
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that  a  file  has  the  exact  number  of  bytes  that  It  should  have. 
Checksum  algorithms  range  from  the  very  simple  to  ultra¬ 
complex.  Users  can  also  employ  checksums  in  conjunction  with 
encryption  to  determine  if  a  file  has  been  modified.  A  table 
of  checksums  for  each  file  can  be  stored  off-line,  on  a  write- 
protected  floppy,  in  ROM,  on  a  card,  or  even  encrypted 
somewhere  in  the  system.  When  a  file  is  loaded,  the  checksum 
of  the  executable  file  can  be  compared  with  the  checksum  in 
the  table  of  the  file  to  verify  the  file's  integrity.  An 
assortment  of  different  checksum  algorithms  exist*^.  Checksum 
algorithms  can  detect  RF-inserted,  non-stealth  rogue  code. 

3 *4. 2. 3  Baoryptlon 

Encryption  can  prevent  unauthorized  users  from  gaining  access 
to  information.  Encryption  consists  of  an  algorithm  and  one 
or  two  keys.  The  algorithm  uses  a  key  to  scramble  the 
message,  called  plaintext,  into  unreadable  ciphertext.  The 
same  key  and  the  same  algorithm  unscramble  the  ciphertext**. 
Encryption,  which  can  both  prevent  the  insertion  of  rogue  code 
and  isolate  rogue  programs  once  a  system  has  been  infected**, 
can  also  be  effective  in  an  RF  environment.  Regardless  of  the 
context  within  which  encryption  is  used,  using  encryption 
mechanisms  to  transmit  messages  can  make  it  very  difficult  for 


rogue  program  writers  to  insert  their  rogue  code  onto  a 
transmission  media  via  RF  or  any  other  means  because  the  rogue 
program  writer  probably  will  not  have  access  to  the  proper  key 
to  encipher /decipher  the  message.  Although  an  encryption 
algorithm  may  be  breakable**,  it  may  not  be  practical  to  do  so, 
because  it  would  take  too  long  to  decrypt  it**’**. 

Although  encryption  can  be  a  powerful  tool,  it  alone  may  not 
prevent  the  insertion  of  rogue  code  via  RF.  Encryption 
protects  against  disclosure  and  detects  modification  attempts. 
Using  encryption  makes  a  potential  rogue  writer  work  harder 
than  if  he  would  have  to  if  code  were  not  encrypted. 

3. 4. 2. 4  Digital  Signatures 

Digital  signatures  authenticate  messages  to  defend  against  the 
threat  of  rogue  code  insertion  onto  a  data  stream  via  RF. 
Digital  signatures  can  be  performed  at  the  message  or  at  the 
packet  level  in  several  ways.  The  three  most  widely  used  are 
the  Rivest-Shamir-Adelman  (RSA)  algorithm,  the  Data  Encryption 
Standard  (DES) -based  message  authentication  code  (MAC)**,  and 
the  Digital  Signature  Standard  (DSS) -based  Digital  Signature 
Algorithm  (DSA)^°°. 
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Digital  signatures  make  It  difficult  for  rogue  programs  to 
insert  code.  Digital  signatures  at  the  packet  level  will  make 
it  virtually  impossible  for  rogue  program  code  to  be 
successfully  Inserted  onto  a  transmission  media  via  RF.  The 
rogue  code  could  be  detected  -  if  the  imposter  does  not 
possess  the  originator's  private  key.  To  limit  performance 
penalties  and  overhead,  digital  signatures  can  be  utilized 
only  on  the  first  packet  of  a  message  and  still  ensure 
reasonable  security,  nominal  performance  degradation  and  lower 
cost. 


3.4.2.S  Safeguards  incorporated  in  Commercial  wireless 
LAW  Software 

The  wireless  IAN  software  that  comes  with  many  of  the 
commercially  available  modules  incorporates  one  or  more  of  the 
following  five  security  mechanisms  that  make  it  difficult  to 
insert  a  covert  rogue  program  and  to  infect  the  network  nodes 
in  general; 

1.  The  network  software  can  ensure  that  no  two  nodes 
have  the  same  name. 

2 .  The  network  software  can  use  a  security  code  to 
authenticate  users  on  the  network;  the  code  can  be  a 
number  from  1  to  N,  where  N  can  be  any  number  greater 
than  or  equal  to  1.  IAN  modules  must  have  the 
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n 

same  security  code  to  talk  to  each  other. 

3.  A  "so-called"  secure  channel  can  be  set  up  so  that 
other  modules  in  the  network  can  not  intercept 
messages.  Users  can  choose  between  two  or  more  channels. 

4.  Users  can  purchase  an  encryption  module  separately. 

5.  Users  can  purchase  an  optional  boot-up  from  ROM. 

6.  Many  products  use  spread  spectrum  technology. 

Figure  compares  the  defensive  mechanisms  available  with 
each  of  the  wireless  LAN  products  discussed  in  section  2.3. 
The  products  are  listed  in  order  of  the  number  of  defensive 
controls  incorporated. 
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supposed  to  have  the  same  name,  using  O'Neill's  LAWN  package, 
The  author  was  able  to  have  two  hosts  with  the  same  name  as 
long  as  one  of  those  hosts  was  inactive.  In  short,  an 
intruder  with  the  same  host  name  as  a  bonafide  user's  name 
could  send  data  to  another  bonafide  user,  assuming  that  all 
other  parameters  such  as  rate  of  transmission,  security  code 
and  channel  were  the  same.  Note  that  the  only  requirement  to 
infecting  the  system  in  this  way  is  that  the  host  that  the 
intruder  is  masquerading  as  is  not  transmitting  over  the 
wireless  LAN.  The  bonafide  user  could  still  be  doing  other 
work  on  the  computer  and  does  not  have  to  be  logged  of . 


3.4.2. C  Boftwxm  and  Hardware  Mechanisms 

Antirogue  software  products  alone  may  not  prevent  rogue  code 
from  being  Inserted  into  a  transmission  media  but  may  prevent 
such  code  from  being  executed  at  a  targeted  host  because  the 

software  will  have  detected  the  code  before  it  executes. 
Furthermore,  this  measure  may  be  effective  against  only  some 
rogue  programs.  Stealth  rogue  programs  as  defined  in 
citation^**'  may  be  able  to  bypass  some  of  these  control 
mechanisms,  depending  on  the  specific  mechanism(s)  used. 
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Antirogue  hardware  products  may  be  effective  against  known  as 
well  as  unknown  rc^jue  programs,  depending  on  the  product 
quality  and  control  mechanlsm(s) . 


3.4,2. 7  Defense  Keohanisms  Combinations 

Finally,  a  combination  of  control  mechanisms  will  provide  more 
,  protection  and  will  mak»>  it  more  difficult  for  rogue  programs 
to  bypass  protection  schemes.  The  use  of  encryption  and 
digital  signatures  should  be  considered  for  incorporation  into 
RF  nets;  otherwise,  it  may  be  possible  to  compromise  each  of 
them  alone. 

An  RF  net  without  any  security  mechanisms  is  vulnerable  to 
rogue  program  attack.  All  of  the  above  control  mechanisms, 
singularly  or  combined,  implemented  either  by  software, 
hardware  or  both,  will  help  protect  a  communication  channel 
from  rogue  programs,  but  at  a  price.  The  next  section 
analyzes  the  cost  and  benefits  of  each  control  mechanisms. 


3.4.3  Cost-Benefit  Analysis 

To  determine  whether  it  would  cost  more  to  implement  a  control 
or  to  accept  the  anticipated  cost  of  intrusion,  a  cost-benefit 
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analysis  can  determine  whether  a  specific  defensive  control's 
cost  Is  justified.  The  following  cost-benefit  analysis  Is  a 
less  comprehensive,  less  time  consuming  but  more  appropriate 
technique  than  risk  analysis^**' The  cost-benefit 
amtlysls  alleviates  some  of  the  difficulties  In  analyzing  and 
evaluating  those  controls  which  would  reduce  the  seriousness 
of  rcgue  infection  via  RF.  It  Incorporates  formulas  devised 
by  Fred  Cohen^®’  that  describe  the  total  costs  per  year  of 
rogue  program  defenses  and  by  Linda  Rutledge^®®  that  determine 
communication  costs  with  a  proposed  access  vulnerability 
likelihood  (VL)  that  we  develop.  The  analysis  ascertains  a 
cost-benefit  ratio  by: 

1.  determining  the  accessibility  of  computing  systems  to 
rogue  program  atcacks  (VL) 

2.  determining  the  yearly  cost  of  applying  antirogue 
products 

3.  determining  the  basic  cost  (BC) ,  recurring  cost  (RC) 
and  the  expected  yearly  cost  of  damaging  the  computing 
system. 
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3. 4.3.1  Acossa  vulnarabillty  LlAallbood  (VL) 

The  VL^is  a  unit  of  measure  defined  as  the  vulnerability  of  a 
closed  kAetwork  resulting  from  the  direct  connection  to  any 
node  in  the  network  and  their  associated  links.  A  computing 
system's  accessibility  to  rogue  program  threats,  how  the  rogue 
code  infiltrates  the  computer  system,  includes  topological, 
vector  and  functional  factors  (Figure  19) . 


Figure  19.  Aooesslblllty  VulBerabllity 
Likelihood  Components 

Topological  factors,  the  physical  characteristics  of  a 
computing  system,  connoted  by  T,  consist  of 
connectivity/ interface  links  among  computing  systems.  These 
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links  are  potential  entry  points  for  infection.  Vector 
factors,  connoted  by  V,  consist  of  carriers  that  serve  as 
rogue  program  vectors  directly  connected  from  each  link. 
Vector  factors  are  used  to  determine  the  likelihood  that  link 
interfaces  are  infected.  Functional  factors,  which  may  be 
based  on  subjective  experiences  and  are  assigned  weights, 
connoted  by  F^,  consist  of  the  likelihood  of  penetration 
and  the  havoc*  a  rogue  program  can  inflict  which  depends  on 
the  presence  of  or  lack  of  defense  mechanisms  a  computing 
system  incorporates.  The  Functional  Factors,  F^,  can  be 
denoted  as  Fi  «  Fi<,  *  Fm.  See  Figure  20. 


*  damage  a  rogue  program  can  cause 
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Plgur*  20.  Aooosaibillty  Pactora 


Therefore 

VL  * 


,  to  calculate  the  VL: 


(V/T)*[  X)  +  E 

i-l  j-o 


Where: 

T  =  topological  factor 
V  =  vector  factor 
Fi  =  functional  factor  or  Fia  *  F 
Fid-  penetration  likelihood 
Fih=  havoc /damage  likelihood 
i  »  index 
j  =  index 

n  »  number  of  subsystems  (nodes) 


3. 4. 3. 2  Y«arJ.y  Coat  of  Safoguarda  (YCSO) 

To  determine  if  the  costs  of  applying  safeguards  are 
justified,  the  YCSG  must  be  computed.  To  determine  the  yearly 
cost  for  cryptographic  equipment  for  encrypting,  digital 
signatures  and  authenticating  messages,  and  the  various 
antirogue  products  such  as  scanners,  eradicators,  monitors  and 
cryptographic  checksums,  the  following  subset  of  Fred 
Cohen's^”  parameters  are  used: 

1.  the  number  of  scans/checks  (C)  to  be  cond  ,^cted 

2.  the  loss  of  employee  productivity  (P)  during 
scans 

3.  the  time  (T)  to  perform  the  scan 

4.  the  one**time  cost  for  licensing/purchasing  (L)  the 
product 

5.  the  cost  for  key  management  (M) 

6.  the  cost  for  installation  and  updates  (U) ,  which 
includes  the  time  to  install/update  (Uj.)  plus 
labor  costs  O,,  and 

7.  the  cost  for  eradicating  (E)  detected  rogue 
programs,  which  includes  the  time  required  to  clean 
up  (So) ,  to  restore  damaged  files  (E.)  ,  and  costs  of 
labor  (E,)  . 
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Therefore,  the  yearly  cost  of  safeguards  is  calculated  as 
follows: 

Yearly  cost  of  safeOuard  <YC80)  »  (CPT  +  M4-u-t-L  +  E) 
Where  u  *  +  u, 

E  =  El  +  E,  +  Ec 


3. 4. 3. 3  Basic  attd  Reourrlag  Costs 

To  determine  the  one  time  basic  cost  and  the  recurring 
communication  cost  of  each  system  without  any  incorporated 
safeguards,  the  following  subset  of  Linda  Rutledge' 
parameters  are  used: 

1.  basic  costs  (BC)  (nonrecurring)  including  the  cost 
for: 

*  hardware  (Nh) , 

*  software  (S,) 

*  installation  (Ni)  and 

*  network  connection  (N„) 

2.  recurring  costs  (RC) ,  including  costs  for: 

*  call  initiation  cost  (R^) ,  which  consists  of : 

**  overhead  cost  to  establish  communication 

with  the  destination  computing  system  (Rbo)  > 
plus 

cost  of  the  time  that  a  carrier  signal 
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must  be  present  for  the  destination  computing 


system  to  respond  (St>i)  > 
times 

**  the  number  of  ports  (1^) ,  and 
*  the  cost  for  data  transmission  overhead  (Rg) 

Therefore,  the  Total  Cost  =  S(BC  +  RC) 

Where: 

8  =  the  number  of  subsystems 
Basic  Cost  <BC)  =:  N 

Where  N  =  Nh  +  Ns  +  Ni  +  Nn 


Reourriag  cost  (RC)  =  r 
Where  R  =  Rb  +  Rt 

Rb  =  Rbp(Rbo-f  Rbr) 

At  this  point,  we  can  calculate  the  ratio  of  the  expected  loss 
if  no  safeguards  are  implemented  and  the  expected  loss  if 
safeguards  are  implemented  as  follows: 

Loss-Ratio* (VL* (BC+RC) )  /  { (VL*( (1-%SAFE) * (BC+RC) ) ) +CSG) 


Where  : 


VL*(BC-»-RC)«the  expected  loss  if  no 

safeguards  are  implemented 

((VL*((i-%SAFE)*(BC-»-RC)))'»-CSG)-the  expected  loss  with 

safeguards  implemented 
%SAFEsthe  percentage  of 

protection  the  safeguards 
provide 

Therefore,  the  Cost-Benefit  Ratio  for  an  unprotected  system  is 
calculated  as  follows: 

Cost-Benefit  Ratio  BSM6  /  CSFG 
Where: 

BSMG  »  Benefit  per  system  from  safeguards 
=  (VL*BC)  -  (VL*((1  -  %SAFE)BC)) 

CSFG  »  Cost  per  system  for  safeguard 
«  CSG 

This  completes  the  abstract  model,  section  4.5  instantiates 
the  cost-benefit  analysis  using  3  computing  systems  consisting 
of  a  total  of  9  links  to  determine  if  the  defensive  measures 
are  cost-justif ied. 
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3.5  Suaaary 

This  chapter  developed  a  generic  abstract  model  of  the  rogue 
code  insertion  process  into  a  communication  channel  via  RF, 
delineated  the  parameters,  requirements  and  resources  to 
insert  the  code  and  examined  insertion  goals  and  methods. 
Moreover,  the  proposed  cost-benefit  component  was  discussed  to 
determine  whether  it  would  cost  more  to  implement  a  control  or 
to  accept  the  anticipated  cost  of  the  loss.  The  cost-benefit 
analysis  allows  the  user  to  determine  the  point  of  diminishing 
returns  whenever  the  benefit  per  system,  which  is  the  expected 
loss  without  safeguard  minus  the  expected  loss  with 
safeguards,  equals  the  cost  of  safeguards. 

Building  on  the  work  of  Cohen^°*  and  Rutledge^^^  to  determine 
the  total  costs  of  computing  systems  used  for  transmitting 
messages,  a  cost-benefit  component  to  determine  the  cost 
effectiveness  of  using  defense  controls  against  rogue  programs 
was  proposed.  The  next  chapter  instantiates  the  abstract 
model  on  a  DOS-based  computing  system  using  O'Neill 
Communication  wireless  LAN,  called  LAWN,  to  Insert  rogue  code 
into  a  targeted  host  by  RF. 
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Cbaptar  4  MODSL  IKSTAMTIATIOM 
4.1  Zntroductioii 

This  chapter  Instantiates  the  abstract  model  developed  In 
chapter  3  to  insert  rogue  code  into  a  target  host's 
communication  data  stream  using  RF  and  provides  data  for  the 
formulas  developed  in  chapter  3.  The  technique  used  to 
instantiate  the  abstract  model  presumes  that  an  adversary 
intent  on  Inserting  rogue  code  can  covertly  monitor  all 
communications  traffic  among  legitimate  network  members.  The 
chapter  also  discusses  how  the  model  matches  the  conditions  of 
the  abstract  model,  examines  the  two  control  mechanisms 
implemented  to  prevent  rogue  code  insertion  via  RF,  provides 
examples  of  the  cost-benefit  component  proposed  in  chapter  3 
to  determine  if  the  defensive  measvires  are  cost- justified,  and 
discusses  various  techniques  to  insert  rogue  code  Into  a 
targeted  host. 

Chapter  4  has  seven  sections:  the  introduction  (4.1); 
experiment  setting  (4.2);  abstract  model  instantiation 
including  the  environment  description  to  instantiate  the  model 
on  a  DOS-based  system  (4.3);  two  control  mechanisms 
implemented  to  prevent  rogue  code  insertions  via  RF  (4.4)  and 
cost-benefit  analysis  that  determines  that  the  defense 
measures  were  cost- justified  (4.5) ;  techniques  to  insert  rogue 
code  into  a  targeted  host  (4.6);  summary  (4.7). 
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4.2  Background 

The  chapter  describes  the  Remote  insertion  of  Rogue  Code 
(RIRC)  Experiment  conducted  on  18  October  1991.  The  author 
uses  the  ISO  8473  Connectionless-mode  Network  Protocol^^^ 
(CLNP)  for  network  level  connectivity,  and  the  Trivial  Pile 
Transfer  Protocol^^^  (TFTP)  as  its  basic  transmission  protocol 
through  applications  level  connectivity  to  Insert  the  rogue 
code.  CLNP  and  TFTP  perform  the  same  functions  as  the  better 
known  communication  protocols,  the  Transmission  Control 
Protocol^^’  (TCP)  for  network  level  connectivity  and  the 
Internet  Protocol^^*  (IP)  for  its  transmission  protocol, 
respectively . 


In  the  RIRC  experiment,  three  IBM  PC-compatible  computer 
systems  connected  an  RF  local  area  network,  using  O'Neill 
Communications'  Local  Area  Wireless  Network  (LAWN)  modules. 
The  author  copied  a  file  between  two  computer  systems  to 
ensure  that  the  file  transfer  software  worked.  The  third 
computer  system,  acting  as  an  imposter,  was  then  activated  to 
insert  rogue  code  into  the  data  stream  as  the  file  was  being 
transferred  a  second  time  between  the  same  two  legitimate 
computer  systems.  The  innocent  recipient  computer  executed 
the  rogue  code  whe  it  executed  the  infected  file,  thereby 
Illustrating  the  rogue  code's  successful  insertion. 
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Tti«  sxp^riMnt  showed  that  a  rogue  prograe  could  be  inserted 
via  RF  into  a  network  with  only  built  in  security  eechanises. 
Although  intruders  have  eore  difficulty  subverting  secure 
networks,  the  above  experleent  is  valid  although  insertion 
techniques  are  sore  cospler  for  these  systems. 

4.3  Varemeters  asd  Requlresieata 

Determining  the  target  host's  parameters  and  requirements  was 
not  difficult.  In  the  experiment,  because  the  intruder  host 
used  the  same  hardware  module  as  the  bonafide  hosts,  he  knew 
the  target  network's  communications  protocol.  The  LAWN  module 
automatically  formatted  the  rogue  code  and  the  receiving  host 
accepted  the  formatted  code.  The  following  three  sections 
discuss  the  communications  channel,  data  stream  conformation, 
and  code  generation  for  this  instantiation. 


4.3.1  CMUiuaioatieas  channel 

The  experiment  used  the  seven-layer  ZBO  OBZ  reference  model, 
the  ISO  8473  Connectionless-mode  Network  Protocol^”  (CLNP)  and 
the  Trivial  File  Transfer  Protocol"*  (TFTP) . 
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4.1.1. 1  ooaMetiofil«M-«o4«  Mtvork  Fretecol  (CL») 

Th«  130  1473  CLWP  providM  n«twork-l«v*l  connectivity. 
Residing  at  level  4,  tbe  transport  layer  of  the  081  seven- 
layer  ■odel**’’  provides  end-to-end  coasunications.  The  latest 
international  standard  network  protocol,  the  Governaent  Open 
Systea  Profile  (GOSIP)'**  aandates  CLMP.  CLNP  identifies  and 
categorises  the  asthod  to  perfora  functions  within  the  network 
layer,  provides  a  unifora  structure  and  describes  which 
protocols  provide  the  081  nettrork  service. 


4. 1.1. 2  The  Trivial  Pils  Trsasfsr  frotoool  (TPTF) 

TFTP  is  a  saall,  easily  iapleaentsd  protocol  that  transfers 
files  at  the  application  level***.  For  exaaple,  some  diskless 
UNIX  client  aachines  use  TFTP  to  load  their  operating 
systea***.  Diskless  workstation  aanufacturers  can  place  TFTP 
in  aany  platforas  read-only  aeaory  (RON)  to  bootstrap  the 
systea  when  the  aachlne  is  on.  TFTP's  advantage  is  that  it 
allows  bootstrapping  code  to  use  the  saae  protocols  as  the 
running  systeas***.  Its  features  are  Halted  to  reading  and 
writing  files  froa  a  reaote  server.  Any  transfer  activates  a 
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request  for  connection  to  reed  or  write  a  file.  If  the  server 
authorises  the  request,  the  connection  is  opened  and  the  file 
is  sent  in  byte  packets. 

4.9.a  Data  Itreea  CeaferaatioB 

The  target  host  accepts  the  rogue  code  as  normal  network  data 
because  the  LAWN  module  had  formatted  it  properly  for  CUIP  and 
TFTP. 

4.3.a.l  cun  Data  stream 

The  two  CLNP  protocol  data  units  <PDUs)  that  transfer  data  and 
report  errors  are  the  data  protocol  and  error  report  PDUs. 
DPUs  contain  octets  (bytes)  that  are  numbered  sequentially 
starting  with  number  one.  When  a  data  PDU  is  discarded,  an 
error  report  PDU  is  generated  which  identifies  the  PDU  that 
was  discarded,  why  it  was  discarded,  and  irhere  the  error 
occurred.  Both  PDUs  have  five  parts^”: 

1.  the  fixed  part 

2.  the  address  part 

3.  optional  segmentation  information  part 

4.  optional  switches  part 

5.  optional  data  part. 


Vigur*  21  shows  a  data  PDU's  structure. 

An  error-report  PDU's  structure  is  not  shown. 


Addmitat 


SiOmnMtan 

QploniFM  < 
DiiiRHt  { 


Vlgurs  21.  Dsts  Proteoel  osts  unit  (PDO) 
ftruoturs 
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Both  PDUs  are  padded  to  an  Integral  number  of  octets  and  each 
data  octet  Is  numbered.  To  avoid  duplicating  data  between 
sessions,  each  session's  first  octet  is  assigned  a  unique 
nximber  for  the  virtual  connection  (VC) .  This  sequential 
number  starts  with  one.  Other  packets  are  assigned  numbers 
incrementally  as  they  are  transferred.  These  unique  numbers 
assure  the  receiving  host  that  the  data  is  legitimate  and  is 
arriving  in  order. 


4. 3. 2. 2  TVTP  Data  Mtx—m 

The  TPTP  packet  contains  one  of  the  following  five  opcode 
headers : 

1.  Read  Request  (RRQ)  ■  l 

2.  Write  Request  (WRQ)  *  2 

3.  Data  (DATA)  «  3 

4.  Acknowledgment  (ACK)  «  4 

5.  Error  (ERROR)  -  5 

The  Read  Request/write  Request  packets  have  the  following 
format: 


2  bytes  1 

string  ■ 

1  byte 

string 

1  byte 

jopcode*!  or  2| 

filename! 

0 

mode 

°  1 

The  filename  and  the  mode  string  are  zero-terminated  ASCII 


characters.  TFTP  supports  three  transfer  nodes:  ASCII  (B 
bits),  binary  (8  bit  bytes),  and  nail  which  allows  it  to  be 
integrated  with  electronic  nail. 


The  data  packet  has  a  block  number  and  a  data  field.  The 
block  number  starts  at  1  and  increases  sequentially  by  one  for 
each  additional  packet.  The  data  field  is  fron  0  to  512  bytes 
long.  The  data  packet  fomat  follows: 

2  bytes  I  2  bytes 
jj  opcode-3  I  block  # 


n  bytes 
data 


The  acknowlcdgnent  packet  acknowledges  all  but  termination  and 
tlneout  packets.  The  receiver  anist  acknowledge  each  packet 
individually  block  #.  The  acknowledgment  packet  fomat 
follows: 


2  bytes 

2  bytes 

j  opcode*4 

block  #  1 

The  error  packet  contains  an  integer  which  indicates  the  error 
type: 

0  *  <not  defined> 

1  •  <files  not  found> 

2  *  <access  vlolation> 

3  «  <disk  full  or  allocation  exc*edad> 

4  •  <lllagal  TFTP  operation> 
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5  »  <unknown  transfar  1D> 

6  n  <flle  already  exlsts> 

7  «  <no  such  U8er> 

The  error  message,  like  all  the  other  strings  consists  of 
zero~terminated  ASCII  characters  that  explains  the  error's 
nature  to  the  user.  The  error  packet  format  follows: 


2  bytes 

2  bytes 

string 

1  byte 

1  opcode-S 

errorcode 

errmsg 

_jlJ 

4 *3. a. a  Coding  Chnraoterintion  and  tyBohroalsatioa 

To  ensure  that  the  rogue  code  **100X8- like*  the  code  it  is 
replacing,  CLNP  and  TFTP  code  characteristics  are  coordinated 
with  their  synchronization. 


fiUS 

CU(P  packets  contain  512  octets.  Synchronization  is  every  500 
ns,  and  priority  codes  handle  contention.  The  priority 
parameter's  value  indicates  the  relative  priority  of  the  PDU. 
Priorities  vary  from  0  (the  default)  through  14  (the  highest) . 

A  checksum  octet,  applied  at  the  source  node  and  authenticated 
at  the  destination  node,  assures  data  integrity.  The  checksun 
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is  computed  on  the  entire  PDU  header,  which  includes  the 
segmentation*  and  options  information  If  available  for  a  data 
PDU.  For  an  error-report  PDU,  checksum  Includes  the  reason 
for  discard  as  well. 

CLNP  requires  positive  acknowledgement  for  all  of  the  data  it 
sends.  If  the  destination  or  receiver  does  not  acknowledge 
data  integrity  within  a  specified  timeout  period,  the  sender 
will  retransmit  the  data.  The  sender  retransmits  the  data  for 
some  number  of  iterations  before  it  resets  the  connection. 
The  length  of  the  timeout  period  is  based  on  packet  size  of 
S12  octets,  specified  in  Increments  of  SOO  ms.  For  example, 
the  timeout  period  is  500  ms  for  each  packet  with  five 
retries^*’.  The  receiver  discards  duplicate  packets. 

TPTP 

The  size  of  a  TFTP  packet  is  512  octets.  Synchronization  is 
every  500  ms.  Each  TFTP  data  packet  is  assigned  a  block 
number  which  is  assigned  consecutively  starting  with  one. 
Each  data  packet  contains  one  data  block  which  must  be 
acknowledged  with  an  acknowledgment  packet  before  the  next 
packet  is  sent.  If  a  packet  gets  lost  enroute,  the  sender  can 


Used  when  the  sise  of  the  PDU  is  greater  them  512 

octets. 
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transmit  the  packet  for  a  set  timeout  period  of  3  seconds. 
After  3  seconds,  the  connection  is  terminated.  The  connection 
is  reset  also  after  a  preset  number  of  retries.  The  receiver 
discards  all  the  duplicate  packets. 


4. 3. 2. 4  Transmission  Trequenoy 

Determining  the  transmission  frequency  was  unnecessary  because 
the  intruder  successfully  inserted  the  rogue  code  message  as 
the  first  packet. 


4.3.3  Bxperiment  Resources 

Analogous  to  the  required  hardware  for  the  generic  abstract 
model  discussed  in  chapter  3,  the  experiment  resources 
consisted  of  a  DOS-based  computer  system  and  the  LAWN  module 
which  contained  a  microprocessor  and  a  radio  transceiver  that 
sent  and  received  data  via  radio  signal.  The  module  served 
the  same  purpose  as  the  CHRIS  and  the  transceiver  from  the 
abstract  model.  The  configuration  was  comparable  to  a  LAN  and 
can  be  adapted  to  a  WAN  using  repeaters  or  more  powerful 
transceivers.  The  workstations  were  connected  via  RF  modems 
to  provide  the  physical  and  link-level  connectivity. 
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For  purpoB*)-)  of  ^his  •xperlvon't,  two  authorized  hosts  are 
naned  Aaron  and  Bill  and  the  unauthorized  user  is  named 
Intruder. 

Figure  22  provides  a  system  overview  of  the  network. 


Figure  32.  Bsrdvsrs  System 
Overview 

The  three  system's  hardware  configuration  follows. 

1.  For  the  computing  system 

*  Host  Bill  is  a  Packard  Bell  IBM-compatible  computer 
system  with  a  12  MHz  Intel  80286  CPU,  with  two  5 
1/4  inch  floppy  disk  drives,  640K  of  RAM  and  a  VGA 
monitor. 

*  Host  Aaron  is  a  BragL  IBM -compatible  computer  system 
with  a  25  MHz  Intel  80386  CPU,  with  a  5  1/4  inch 
high  density  floppy  disk  drive,  3.5  inch  high 
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density  floppy  drive,  80  Mbyte  hard  disk,  640K  of 
RAM  and  a  super  VGA  monitor. 

*  Host  Intruder  is  a  Zenlth-150  iBM-conpatible 
computer  system  with  a  4.77  MHz  Intel  8088  CPU, 
with  two  5  1/4  inch  floppy  disk  drives,  640K  of  RAM 
and  a  CGA  monitor. 

2.  The  LAWN  Module  connects  the  three  computers  to  tne 
network  wirelessly,  using  high-frequency  spread 
spectrum  radio  transmissions  which  distribute  the 
transmitted  data  across  multiple  frequencies^**. 

Spread  spectrum  uses  a  pseudorandom  sequence  generator  by 
adding  from  10  -  1,000  bits  to  the  signal.  Spreading  the  bits 
results  in  a  new  signal***  which  is  distributed  over  a  wide 
range  of  frequencies  for  transmission.  This  signal  is  then 
reduced  to  the  size  of  the  original  frequency  at  the 
receiver***.  See  Figure  23  for  LAWN  specifications. 


*■  Interline -R&232C  »  Requency- 902-028  MHz 


^  Spesd- 19200  bps  >  TtansmttptMW-OOmiM 

*■  ModulallQn- Spread  Specinjm  ^  Antenna -InlBmBi 

(omnidreciional) 


*■  Rotooot-CLNP/FTP  ^  Repeaters -2  per  path 

^  Dirnansions-7'by4^by2*  ►  VMeiglt-ieoz 

*  Mention -Cartier Sense MuM^ 

»  CcMrage  Inside  Buldinos- 10,000  sq.  ft 
*•  Range  in  open  areas -500  feet 


Flgur*  23.  Lava  spaoi float ions 


j 
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It  is  easy  to  install  the  LAWN  nodule.  For  example,  it  weighs 
16  ounces,  is  six  inches  long  and  two  inches  wide.  It 
includes  all  the  software  necessary  for  electronic  mail,  file 
transfers  and  peripheral  sharing  as  well  as  AC  power  adapters 
and  9-  and  25-pin  RS-232  serial  port  connectors.  The  module 
is  easy  to  install,  easy  to  use,  and  easy  to  move.  Vfhen  the 
user  plugs  in  the  module  into  the  serial  port  of  the  computer, 
the  power  source  executes  its  software- 
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The  nodule  has  four  lights  on  the  front  panel  which  indicate 


the  lAWN's  status  (Vigure  24).  A  sunnary  of  the  four 
indicator  lights  follows: 


Figure  24.  LAIN  Bohenatio 


1.  The  red  POWER  light  indicates  the  nodule  is  receiving 
power.  This  light  blinks  when  the  nodule  is  receiving  a 
message . 

2.  The  green  TRAFFIC  light  signifies  that  the  nodule  is 
in  use. 

3.  The  green  CONNECTED  light  indicates  that  the  computer 
is  conuunicating  with  another  machine. 

4.  The  green  TRANSMIT  light  indicates  that  the  computer 
is  sending  data  to  another  machine. 
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4.3.4  Co4«  flmwatloa 

Because  the  time  period  when  the  intruder  can  Inject  code 
during  a  transalsalon  Is  Halted,  he  used  a  packet  size  rogue 
code  of  512  bytes  and  followed  this  three  step  methodology: 

1.  Initialized  the  hosts  to  transfer  files. 

2.  Executed  a  noraal  file  transfer. 

3.  Inserted  the  rogue  code  during  file  transfer. 


4.3.4. 1  Initialising  Zosts  to  Transfer  riles 
The  author  Initialized  the  three  computer  systems,  host  Aaron, 
host  Bill,  and  host  intruder,  by  connecting  the  LAWN  modules 
to  each  system  via  the  RS<-232  serial  port  connectors.  He 
inserted  two  5  1/4"  diskettes  in  each  system's  drives  A  and  B 
and  typed  the  <atart>  command  on  the  command  line  In  drive  A 
to  Initialize  each  host.  Initialization  occurs  when  the 
applicable  software  programs  are  executed. 

Initialization  ensures  that  the  system  is  set  up  to  perform 
Its  function,  such  as  identifying  each  specific  host  on  the 
LAN,  ensuring  that  the  peripheral  device  controlled  by  the 
driver  is  present  and  functional,  and  processing  the 
communications  between  the  application  and  the  computer  LAWN. 
Initialization  consists  of  the  following  four  steps: 
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1.  8*t  hofttn«M 

2.  Assign  psckst  drivsrs 

3.  Inltiallss  CLNP  nstt^ork  Isysr  softwsrs 

4.  Inltiallss  TFTP  softwars 

Ths  systsn  sust  be  initialised  for  file  transfer.  See 
l^peadiz  1  for  the  batch  code  for  this  initialisation. 


4. a. 4. 1.1  Set  Hostname 

First,  the  author  assigns  each  computer  system  a  hof^tname  so 
that  the  network  can  uniquely  Identify  each  system.  The 
commands  to  set  this  parameter  are: 

1.  For  host  Aaron  =»>  SET  HOSTNAMEeAaron 

2.  For  host  Bill  =->  SET  HOSTNAME«Bill 

3.  For  host  Intruder  >:«>  SET  HOSTNAME=Aaron 

(the  imposter  host  is  masquerading  as  host  Aaron) 


4. 3. 4. 1.2  Assign  Faoket  Drivers 

Then,  to  provide  the  link  layer  connectivity,  packet  drivers 
for  each  host  were  assigned  in  accordance  with  each  machine's 
specific  hardware  configuration  as  discussed  in  section  4.3.3. 
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For  Mch  •pacific  host,  th«  following  parameters*  vers  used: 

1.  Host  Aaron  ■>•>  For  COMi:  laimsllp  0x65  -h  6  3  0x2f8  19200 

2.  Host  Bill  —>  For  COM3:  lawnsllp  0x65  -h  6  4  0x3f8  19200 

(COMI  and  C(HI2  were  already  being  used) 

3.  Host  Intrudsr«»>  For  COMl:  lawnslip  0x65  >h  6  4  0x3f8 

19200 


4. 3. 4. 1.3  Initialise  CLMP  Mstwork  Layer  Software 
Second,  the  author  initialized  the  CLNP  network  layer  software 
for  each  system  by  executing  the  command  <elnptsr>.  The  CLNP 
software  is  a  TSR  memory  resident  program  that  provides 
telecommunications  and  information  exchange  between  systems. 
See  citation^*  for  the  CLMP  code. 


4. 3. 4. 1.4  initialise  TFIP  Software 

Thirdly,  the  TFTP  software,  which  contains  both  server  and 
client  processes  is  automatically  initializes  when  it  executes 
a  file  transfer  beginning  with  the  command  <tftp>  for  a 


*  Usage: 

LAMMSLIP  [-n]  [-d]  [«w]  psokst_int_no  [-h]  [-p  count]  [-t 
count]  [driver^olsss]  (int~ao]'~[io_sddr]  [baud_rate] 
[ssad_buf_siss]  [rsovJ»uf_siss]  [dsta~buf_alss]  ~ 

-h  raabTss  ]iardwars~handsluiklng  " 

■•p  modifies  limit  bafors  polling  mods  used 
-t  modifies  tbs  timeout  for  dallying  after  last 
eharaotsr. 

Tbs  drivsr__elsss  oould  be  SLIP,  Kiss,  AZ.2S,  or  a 
number. 
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bonaflde  host  or  <bftp>  (bad  fils  transfer  protocol)  for  an 
Intruder  host.  BfTP  is  a  aodlfled  version  of  TFTP  that  allows 
the  host  intruder  to  aonitor  all  traffic  and  insert  rogue  code 
in  the  first  packet  sent  to  the  receiver  host.  This  coapletes 
the  hosts'  initialization  process. 

4. 3. 4. 2  Baeoutlag  a  Borasl  Vile  Traasfer 

To  ensure  that  the  RF  aodeas  were  operational  and  that  the  two 
friendly  hosts  could  coaaunicate,  the  author  sent  a  file  froa 
host  Aaron  to  host  Bill;  he  enters  a  "request  wait"  coaaand  at 
host  Aaron  by  invoking  <tftp>  as  follows: 

Typed  froa  host  Aaron:  <tftp> 

At  Host  Bill  the  author  requests  the  file  "crc.exe"  froa  host 
Aaron  and  renaaes  it  "test.exe",  as  follows: 
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Typed  trom  host  Bill:  <tftp  -h  Aaron  >g  ere. axe  teet.exe>* 

The  TFTP  epecifles  that  the  TFTP  protocol  is  to  be  used  to 
eosoaunicate  between  hosts  Aaron  and  Bill.  The  second  and 
third  paraeeters,  >h  Aaron,  specify  Aaron  as  the  source 
address.  The  reaaininq  paraateters  request  the  file  <crc.exe> 
be  transferred  froe  host  Aaron  to  host  Bill  and  renaaed 
<test.exe>.  To  verify  that  teat.exe  is  an  exact  duplicate  of 
crc.exe,  the  author  conducted  the  following  three  tests:  a 
file  sice  test  usinr  the  DIR  coMsand,  a  CRC,  and  a  byte-by> 
byte  coaparison.  The  "DIR"  coaaand  shows  that  the  files  have 
the  saae  size  -  S273  bytes.  A  CRC  via  crc.exe  established 
that  the  CRC  values  for  both  files  were  identical  -  SB  A2  for 
crc.exe  and  test.exe. 

Where: 


Usage I 

Without  -h,  ‘p  or  '-q.  Server  Operation 

Clleat  Operation  aust  supply  either  -h  hostaaae  or  -a 

address,  with 

“p  Iooal_fileBaBe  reaote_fileBaae  to  put  a  reaote  file  or 
-g  reaote^fileaane  looaI_filenaae  to  get  a  reaote  file. 

[Option  paraaeters  with  (default  settings)  ]  as  follows: 
[  -r  (5)  ]  Retry  attempts  before  giving  up 
[  -s  (S12)  ]  PDU  data  sise 
[  -u  (St)  ]  TPTF  protocol  selector  # 

[  'f  (1)  ]  fragaented  PDU's  Feraitteu,  Wo  s  o.  Yes  =  X 
[  -o  (0)  ]  Header  Cheoksua  Requested,  wo  s  o.  Yes  s  l 
[  *a  (1)  ]  Brror  Reports  Requested,  wo  s  o.  Yes  s  x 
[  *d  (0)  ]  Debug  level,  Osnone,  Issoae,  Ssdetailed 
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oro.w*  la  tha  flla  that  waa  aant  by  boat  Bill 
taat.axa  la  tha  ranaaad  flla  crc.axa 

In  addition  to  tha  CRC  chaclc,  although  thara  waa  a  l  to  2^* 
chanca  that  two  filaa  vl}.l  hava  tha  aaaa  CRC  valua^’*  (ualng 
four  charactara) ,  tha  author  conductad  a  byta-by-byta 
coaparlaon  ualng  tha  DOS  COMPARE  comand  for  furthar 
varlflcatlon  aa  follows: 

A:\>coap  crc.axa  taat.axa 

Coaparlng  CRC. EXE  and  TEST. EXE. ....... 

Fllaa  Coapara  OK 

Tha  COMPARE  connand  ahowad  that  crc.axa  and  taat.axa  fllaa 
wara  tha  aaaa.  Tharafora,  tha  author  could  auccaaafully 
tranafar  fllaa  batvaan  tha  two  frlandly  coaputar  aysteas. 

To  undaratand  how  to  Inaart  rogua  code  during  a  file  tranafar. 
It  la  baneflclal  to  axaalna  tha  data  flow  batwaen  the  aachlnes 
during  file  transfer.  First,  host  Bill  sends  »  read  request 
for  the  file  "crc.exe"  froa  host  Aaron.  Host  Aaron  opens  the 
file  and  reads  tha  first  block  of  512  bytes  Into  a  buffer.  A 
PDU  Is  than  created  using  tha  addressing  Information  In  host 
Bill's  read  request.  A  sequence  number  of  1  Is  assigned  to 
the  first  data  block  which  Is  sent  to  Host  Bill  (Figure  25) . 
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rigur*  2f.  lost  iMroa  sands  n 
Mssssgs  to  lost  Bill 


Upon  succsasful  rscslpt  of  ths  data,  host  Bill  sands  an  ACX 
PDU  with  tha  Sana  saquanca  numbar,  saq.  #1,  to  host  Aaron 
(Fiqura  2f) . 


Figura  2<.  Sost  Bill 

Aeknowladgas  Host 
Aaron's  Masaaga 


Hoipit  Aaron,  upon  ro<c«ilvlng  th>st  ACK,  continue*  to  send  blocked 
packets  with  sequentially  increasing  sequence  nuabers  until 
the  entire  file  is  transferred.  If  an  ACK  is  not  received 
within  a  specific  time,  the  packet  is  retransmitted  until 
either  an  ACK  is  received  or  a  timeout  has  been  reached.  If 
the  packet  is  not  in  the  correct  format  or  the  checksum  in  the 
network  protocol  or  a  CRC  in  the  LAWN  protocol  does  not  match, 
the  packet  Is  rejected. 

4. a. 4. 3  Inserting  Rogue  Code  During  a  File  Transfer 
At  this  time,  the  intruder  inserts  rogue  code  into  the 
friendly  host's  data  stream.  To  invoke  the  protocol,  the 
imposter,  masquerading  as  host  Aaron,  with  the  HOSTNAM£«Aaron, 
executes  <bftp>.  This  command  places  the  imposter  host  in  a 
monitoring  mods,  ready  to  Insert  its  code  as  soon  as  it 
detects  a  file  transfer.  Mo  operator  interaction  is  required 
for  this  process.  To  insert  the  rogue  program,  host  intruder 
creates  a  spurious  PDU  whose  format  is  Identical  to  the 
legitimate  system's  PDU  format;  the  spurious  PDU  must  pass  the 
CLKP  network  layer  checksum,  pass  the  link  layer  CRC  test,  and 
have  the  same  sequence  number  and  format  as  the  good  packet. 
The  Intruder  uses  the  same  procedures  as  set  forth  in 
paragraph  4. 3. 4. 2  to  effect  a  normal  file  transfer.  As  host 
Intruder  detects  a  file  transfer  taking  place,  it  immediately 
sends  its  "spurious"  packet  to  the  receiver  host,  host  Bill 
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(rlgur*  27) . 


rlgur*  27.  Host  T&tradsr's 

Paekst  Hsaohos  Host 
Bill  First 


Host  Bill  accepts  ths  bad  packet  and  sends  an  ACK  to  host 
Aaron  indicating  that  the  first  packet  has  been  successfully 
received  (Pigura-kaf- 


Pigure  2B.  Host  Bill 

Aokaowledgcs  Rost 
Intruder's  Packet 
to  Host  Aaron 
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The  above  operational  steps  took  place  In  this  order: 

Step  Tiaallae 

0  Host  Bill  sends  file  request  to  host  Aaron. 

1  Host  Intruder  detects  that  a  file 
transfer  is  to  take  place. 

2  Host  Intruder  sends  its  prepared  rogue  packet, 
spurious  packet  #1  to  the  receiver  host,  host  Bill. 

3  Host  Aaron  prepares  its  message  for  host  Bill 
and  sends  its  first  packet  bonaflde  packet  #i. 

4  Host  Bill  receives  rogue  packet,  spurious  packet  #1 
from  host  Intruder. 

5  Host  Bill  receives  host  Aaron's  packet, 
bonaflde  packet  #1  and  discards  it,  because 
has  already  received  packet  #1.  Ho  ACK  is  sent 
for  rejected  packets. 

6  Host  Bill  acknowledges  receiving  packet  #1  (really 
sent  by  host  Intruder)  to  host  Aaron 

7  Host  Aaron  receives  acknowledgement  for  (rogue) 
packet  #1  (sent  by  host  Intruder) ,  and  then 
continues  to  send  the  other  packets 

Host  Intruder  will  almost  always  beat  the  sender  host  because 

the  sender  host  has  much  more  to  do  than  the  host  Intruder  to 

prepare  a  packet  for  transmission  such  as  finding  and  opening 

the  file  and  preparing  and  sending  PDUs.  To  illustrate  this 

point,  the  host  Intruder  was  the  slowest  machine  with  a  4.77 

MHz  CPU  clock  speed;  the  sender,  host  Bill,  was  the  fastest 

computer  with  a  25  NHz  CPU  clock  speed. 


The  following  paragraphs  describe  why  the  intruder's  packet 
got  to  host  Bill  before  the  sender's  packet. 


Ill 


DOS  programs  use  a  unique,  16-bit  value  called  a  file  handle 
to  perform  file  operations^**.  The  file  handle  identifies  the 
file  currently  being  accessed  and  the  operation  to  be 
performed,  such  as  to  open  or  create  files  and  subsequent 
functions  to  perform  other  file  operations  such  as  reading  and 
writing.  The  following  describes  the  timeline  and  steps 
required  to  transfer  files: 

0  Receiver  host  Bill  requests  a  file  from 
the  sender  host  Aaron. 

1  Sender  host  must  first  locate  the  requested 
file  via  the  find  first  file  function. 
Interrupt  21,  Function  4EH. 

2  The  sender  host  opens  the  found  file 
via  the  open  file  function,  Interrupt  21, 
Function  3DH. 

3  Sender  host  places  the  file  in  an  internal 
buffer  to  prepare  it  for  transmission  and  to 
prepare  the  data  PDU. 

4  Sender  host  transmits  the  data  PDU  to 
the  receiver  host. 

The  host  Intruder  does  not  have  to  follow  these  steps  with  its 
rogue  code  packet  already  prepared,  as  soon  as  it  detected  a 
file  transfer  operation  request,  it  Immediately  transmitted 
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Its  preparad  packet  to  the  receiving  host.  The  Intruder  can, 
therefore,  prepare  the  rogue  packet  In  advance  and  skip  the 
file  I/O. 


An  exaatinatlon  of  test.exe  deeonstrates  that  the  insertion  was 
successful.  Performing  a  DIR  command,  the  file  size  is  the 
same  as  the  original  file,  crc.exe:  3273  bytes.  But,  a  CRC 
check  shows  that  the  CRC  value  is  different,  BD  9P.  Also,  a 


byte**by**byte  comparison  using  the  DOS  COMPARE  command  shows: 
A:\>comp  crc.exe  test.exe 


Conpar*  error 
ftlal  - 
fil«2  •  SB 

Compara  error  at  OFFSET  1 
filel  -  5A 
file2  -  2 

Compare  error  at  offset  2 
filal  -  C9 
flle2  «  0 

Compare  error  at  OFFSET  3 
filel  -  0 
file2  -  B9 

Compare  error  at  OFFSET  4 
filel  -  7 
flle2  >  40 


Compare  error  at  OFFSET  5 
filel  «  1 
file2  «  8C 

Compare  error  at  OFFSET  6 
filel  «  0 
file2  »  CA 

Compare  error  at  OFFSET  7 
filal  -  20 
file2  •  BE 

Compare  error  at  OFFSET  8 
filal  •  0 
file2  -  DA 

Compare  error  at  OFFSET  9 
filel  >  0 
file2  >  BA 

10  Miamatches  -  ending  compare 


Comparing  CRC.EXE  and  TEST.EXE 
at  OFFSET  0 
40 
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The  COMPARE  command  shows  that  the  two  files  crc.exe  and 


test.exe  are  different  only  at  the  program's  first  ten  bytes  - 
where  the  rogue  code  was  inserted. 

When  host  Bill  executes  the  Infected  test.exe,  it  displays  the 
message,  "This  file  has  been  infected  with  a  harmless  computer 
virus!  This  file  is  no  longer  good". 

The  "bftp"  software  notifies  the  rogue  operator  that  the  rogue 
program  was  transmitted  as  well  as  how  many  packets  the  sender 
host  transferred.  See  Appemdlz  2  for  the  transmitted  rogue 
program's  code. 


4. 3. 4. 4  Experiment  summary 

The  above  three  sections  describe  how  a  rogue  program  is 
inserted  into  a  wireless  communication  stream.  The  imposter, 
host  Intruder,  masqueraded  as  the  sender  host,  host  Aaron,  by 
creating  packets  that  look  like  they  came  from  host  Aaron. 
The  imposter  monitored  all  traffic  between  the  two  friendly 
hosts,  Aaron  and  Bill.  Once  the  imposter  detected  that  a  file 
transfer  was  to  take  place,  it  iinmediately  forwarded  its 
spurious  rogue  code  packet  to  the  receiver  host  Bill,  which 
acknowledged  to  the  sender  host  Aaron  that  the  packet  was  the 
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bonaflde  sender's  first  packet.  Host  Bill,  upon  receiving 
host  Aaron's  legitimate  first  packet,  discarded  it  as  a 
duplicate.  Host  Aaron,  upon  receiving  an  acknowledgement  for 
its  "supposed”  first  packet,  continued  to  send  the  rest  of  the 
packets.  Therefore,  host  Intruder  was  able  to  insert 
successfully  its  rogue  code  into  the  file  that  host  Aaron  sent 
to  host  Bill.  The  next  section  discusses  the  defense  measures 
that  hosts  Aaron's  and  Bill's  users  could  have  taken  to 
minimize  the  host  Intruder's  threat. 

4*4  Defense  Measures 

For  purposes  of  this  dissertation,  only  the  first  two  defense 
measures  of  the  seven  that  Chapter  3  discussed,  CRC  and 
checksum,  were  used  in  the  experiment  to  demonstrate 
successful  detection  of  rogue  code  Insertion.  The  DIR  command 
shoT^ed  that  intruder  modified  the  original  file,  crc.exe 
because  the  infected  file,  test.exe,  was  not  the  same  size  as 
the  original  file.  The  checksum,  COMPARE  command,  reinforced 
the  fact  that  the  two  files  were  not  the  same  via  a  byte-by- 
byte  comparison.  The  CRC  clearly  showed  that  the  two  files 
were  different  lengths. 
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4.5  Coat-B4n«fit  Analysis 

In  this  section,  the  formulas  provided  in  chapter  2  are 
Implemented  with  examples  to  determine  whether  It  would  cost 
more  to  Implement  controls  or  to  accept  the  anticipated  cost 
of  the  loss. 

To  Implement  the  cost'-beneflt  portion  of  the  model  to 
ascertain  the  cost-benefit  ratio,  the  following  three 
parameters  must  be  computed: 

1.  the  accessibility  of  computing  systems  to 
rogue  program  attacks,  access  vulnerability 
likelihood  (VL) 

2.  the  cost  of  applying  antirogue  products 

( (the  yearly  cost  of  safeguards  (CSG)  which  enhances 
product  effectiveness) ) 

3.  the  basic  cost  (BC) ,  recurring  cost  (RC)  and 
the  expected  yearly  loss  of  the  computing  system 


4.5.1  Access  Vulnerability  Likelihood  (VL) 
Using  the  formula  from  page  75, 

A  ▼ 

VL  =  {V/T)*[  X)  +  E 
1-1  j-o 
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Where: 


T  «  topological  factor 

V  =  vector  factor 

Pi  *  functional  factor  or  Fi^  *  Fit 

Fid-  penetration  likelihood 

Fit-  havoc/damage  likelihood 

1  -  Index 

j  =  index 

n  =  number  of  subsystems  (nodes)  that  can  be 
carriers 


three  computing  systems  were  used  consisting  of  9  links  as 
shown  in  Figure  29.  The  topological  factor  is  9,  since  there 
is  a  total  of  nine  links. 


Figure  29.  Example  Subsystem 

The  vulnerability,  based  on  the  vector  analysis  contribution 
was  .66  because  6  of  the  9  links  can  carry  the  infection. 
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The  likelihood  of  the  three  printer  links  becoming  carriers 
was  remote.  Dividing  the  vector  contribution  by  the 
topological  contribution  and  multiplying  it  by  the  function 
contribution  of  each  of  our  subsystems  determined  the  VL.  The 
function  contribution  was  determined  from  the  following  matrix 
which  contains  a  number  of  safeguards  with  associated 
(subjective)  weights  assigned  specifically  for  purposes  of 
this  dissertation  (other  researchers  may  assign  different 
weights  depending  on  their  own  experiences  or  purposes) : 
runotional  Taetor  Matrix _ 

USB  or  BATBOUBBOS  WBXOHTBD  VDLHBRABZLZTXBB 

PenetratioB  (Fu)  Damage (F^) 


1. 

CRCs 

.50 

.50 

2. 

checksums 

.30 

.30 

3. 

encryption 

.50 

.10 

4. 

digital  signatures 

.10 

.99 

5. 

Incorporated  safeguards 

.30 

.99 

6. 

SH  or  HH  mechanisms 

.10 

.10 

7. 

combination  of  the  above 

.10 

.10 

For  example,  in  the  case  where  3  computing  systems  had  a  total 
of  9  links,  6  of  which  can  be  carriers,  assuming  that 
computing  system^’A  is  using  software  or  hardware  safeguards 
with  its  respective  weight  where  Fi  *  (Fia)  *  (Fj^)  =  .10  *  .10 
«  .01,  and  computing  system-B  is  using  CRCs  where  Fi  =  .50  * 
.50  >  .25  and  computing  system-C  is  using  no  safeguards,  F^  « 
.99,  to  determine  VL  (see  Figure  30),  one  calculated: 
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Hence,  the  VL  for  the  three  computing  systems  is  1.17,  meaning 
that  there  is  a  lesser  chance  than  the  mean*  that  the  network 
may  be  infected.  Converting  VL  to  a  percentage  for  use  in 
forthcoming  calculations,  1.17  approximates  to  a  20% 
vulnerability.  This  percentage  is  determined  by  calculating 
the  lower  bound  (l.e.,  full  protection  which  is  defined  at 
99%)  and  the  upper  bound  (no  protection  at  .01%)  vulnerability 
for  this  network,  and  then  normalizing  the  upper  bound.  For 
the  above  three  computing  systems,  the  lower  bound  is 

rot  n.lt  VL(1)*.«6[.01*(.01*.01)*<.01*.01)]  -  .0067 
rot  IfOl  VL<0)-.66(.01*(.01*.01)«(.01*.01>]  -  .0067 
rot  It'Sl  VL(3)«.66[..01(.01*.<I1)*(.01*.01)]  •  .0067 
Thototozo,  VI  •  VI.(l)*Vt{J)*Vl,(3)  •  .0303 

The  upper  bound  vulnerability  is 

rot  B-li  Vt<l)-.66[.*6*(.6»».6»)*{. »»•.»»»!  -  1.M7 
rot  n•3l  VL<3)>.66(.»*(. ft*. >*)*(, -  3. *47 
rot  n-3i  VL<3)-.*6(. »*♦(.*••. *!)♦(. **•.**))  -  l.*47 
n>4Z4(0Z4,  VL  •  VL(1).VL<3)*VL(3>  •  S.041 

Therefore,  the  percentage  equivalent  of  VL  is  determined  by 
normalizing  the  lower  bound  to  1,  such  that  1.17/5.841  «  20%. 
Hence  the  accessibility  vulnerability  likelihood  is  20%.  See 
the  following  table  for  an  analysis  of  VL  as  the  value  of  n 
doubles,  while  keeping  all  other  parameters  constant. 


The  mean  is  determined  by  averaging  the  VL  for  the 
three  subsystems  with  no  vulnerabilities  (i.e,  F(i)s.01; 

hence,  VL=.0202)  and  with  full  vulnerabilities  (i.e., 
r(i)s.99;  hence,  VLs5.84l).  Therefore,  the  aean=2.93. 
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X 

ZL  lA 

Si 

Z 

3 

1.17  .0202 

5.841 

20 

wh*z*t 

m 

•  •  of  nodaa 

6 

2.34  .0404 

11.682 

20 

VL 

•  Maaauxa  of  vulnaiablllty 

12 

4.68  .0808 

23.364 

20 

LB 

•  Laaax  Bound 

24 

9.36  .1616 

46.728 

20 

01 

% 

*  Oppax  Bound 
-  BoHnliiad  vnlua 

48 

18.72  .3232 

93.456 

20 

96 

37.44  .6464 

186.912 

20 

As  expected,  the  normalized  VL  does  not  change  when  n  Is 
doubled  and  all  other  factors  remain  the  same.  Hence,  adding 
more  nodes  to  a  network  does  not  change  the  percentage  of  the 
VL  as  long  as  all  the  other  parameters  remain  the  same.  There 
is  no  difference  in  the  VL  percentage  when  adding  or 
subtracting  nodes  when  all  other  parameters  are  constant. 
4.S.2  Yearly  Cost  of  Safeguards 
i  determine  the  yearly  cost  of  safeguards,  the  following 
uation  was  used: 

Yearly  Cost  of  Safeouard  (YCSO)  »  (CPT  tH+u+L+E) 
Wt  re: 

C  •  cb«  numbai  of  (cuia/chocki 

F  •  tb«  loa*  of  aaployaaa'  pxodueclvlty 

T  -  cha  tlB*  to  paxfoxB  tba  aeaa 

M  •  tba  coat  fox  bay  aanapabant 

n  -  tba  coat  fox  Inacallatlon  and  updatas 

•  Ul  (tba  tlna  to  Inatnll/updata)  *  Pa  <tba  aaployaaa'  coata) 

L  •  tba  coat  fox  llaanalns/piixchaalns  of  pxoduct 

■  •  tba  coat  fox  axadloatlnp  datactad  xogua  piogxaaa 

•  Kc  (tba  tlaa  xaqulxad  to  elaaa  daaagad  tllaa)  •  lx  (tlaw  to  xaatoia  daatngad  tllaa)  *  M 
(aavloyaaa*  tiaw  Involved) 
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For  example,  to  calculate  the  safeguard  costs,  it  was  assumed 
that  a  cryptographic  mechanism  and  a  scanner/eradicator  were 
installed  such  as  the  RSA  algorithm  and  SCANV  that  provided 
99%  protection,  as  per  the  ruaotioaal  raotor  Matrix. 


COST  FOR  SAFEGUARDS  FOR  COMPUTER  SYSTEMS; 


HvirtMr  Tt*  (Cl  I  3S0 

Lott  ot  Ti—  it)  t  .n 

Tl—  60  r*ztctu  acta  <T1 1  }  min 

Coif  (Ml  ■  «$0.00 

Coit  tot  iMtfclUtton  (n>!  m-00 


Coit  tot  goatm;  940.00 

gBf*i  ttl  9)3 -90 

Celt  toi  LlC«»Mll>g  <L).  9)9.00 

cott  M  ll>dlc»t>  (11 1  9 .0)9 

Coot  CO  Micoxoi  9.94 

Tt  HBlTTTf  94.00 


(Sean  doM  atcoi  oocli  bootup  ■  dally) 

(•  919.00  pai  booi  •  9.a7/uln) 

(tOl  00  myta  KD.  M  mx) 

(oaa  claNi  eoac  ot  agulpaaiic) 

(oaa  bout  toi  eiypco,  1/)  houT  fox  scan) 

(4  updacaa  pat  yaax  •  $10.00  pax  icau) 

(pax  yaax) 

(acannai  will  aacoaaclcally  axadleata  v/paxalaalon  •  appics  9  aae) 
(aaauM  back-up#  avaJlabla  -  >  ala  to  pat  tba«) 

(aaauaa  no  aajor  daaapo  ■  19  nln  to  back-up  apacltlc  tllaa) 


Yearly  cost  of  Safeguards  =  (250*.27*5-<'S0-t-96+25+4.55) 

«  $513.05 

Hence,  the  yearly  cost  of  safeguards  was  $513.05  per  year  for 
each  subsystem,  which  may  be  a  reasonable  cost  depending  on 
the  Importance  of  the  data  to  be  protected.  The  above  costs 
were  obtained  from  citations**®'”^. 
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4.5.3  babIo  and  Raeurring  costa 

To  detsrmine  the  total  cost  of  each  subsystem  without  any 
Incorporated  defensive  controls: 


Total  Cost  *  S(BC  +  RC) 

Where : 

■  ■  tka  MMba>  of  nbaraMaa 

aaat«  OMt  (M)  •  ■ 

iRk*i«  a.Mh.Nitaitiib 
Nh  •  hM<S*«ia  coat! 

Ma  ■  aottaaia  coata 

Ml  •  Initallation  coata 

Hit  •  natwoik  connactlon  coata 

•acMclat  Oaat  (M)  •  > 

Mhata  R  •  Mb  *  at 

Rb  <  >bp(Rbo*  Rb()  •  iRltlatiOb  coat 
Rbo  ^  coat  to  aatabllah  coMBuntcatloB 
Rbz  •  coat  at  cha  laaponaa  tlaw 
Rbp  •  nuBbot:  oC  poita 

It  '  coat  lot  data  tianaataalon 

Assxuilng  3  computing  systems  connected  via 
RF  as  In  the  previous  example: 

NONRECURRING  COST  RECURRING  COST 

haidwaza  *  aoltwaia  *  Inatall  .  connactlob  call  Initiation  *  tzananlaalon  ovazhaad 
$  3000.00  5000.00  *  t.OO  *  450.00  .035  *  .075 
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Bmsio  Cost  «  $8458.00 
Ksourring  Cost  «  $.lo 

Fee  BMle  (■enxecuzzlng)  Ceate 
bMdwue  coat  •  $3000.00 

aottwaia  coat  *  $S000.00 

Inatall  ooae  ■  one  aaployaa  wozklitg  at  $lt.oo  pai  bom  tat  1/2  houi 

•  ft. 00 

conaaeclon  eeac  •  tba  coat  of  tba  wlialaaa  uui  eaaponanta,  auoii  aa  the  uum 

•  $430.00 

Therefore,  Basic  Cost  *  Na'^N.-i-Ni-fNa  *  $3000  +  $5000  +  $8  -i-  $450 

=  $8458.00 

Miazai  Fot  aacuztlng  coata 

call  Inlc  coat  ■  one  aaployaa  vgiklna  at  $13.00  paz  houi  fox  a  aacenda  toz 

ovozbaad  (lbo«$.0i0)  and  toz  3  aacoada  toz  zaapond  (iu»z-$.0is> 

(•  $.003  paz  aaooad) 

•  $.93$ 

tianaaiit  coat  •  one  aaployaa  wozklnp  at  $13.00  paz  houz  toz  i$  aaconda 
toz  a  30K  file  tzananittad  at  tc  bpa 

•  $.07$  (aaauBlng  ona  pozt  (iipp>l)) 

Therefore,  Recurring  Costs  »  R  -  R^  +  Rj  -  Rt>p(I^  Rpt)  +  Rt 

-  1($.010  +  $.015)  +  $.075 

-  $.10 

Hence,  Basic  Costs  plus  Recurring  Costs  «  $8458.10  per 

subsystem.  The  total  system  cost  *  3  *  $8458.10)  « 

$25,374.30. 
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At  this  point,  the  ratio  of  the  expected  loss  with  no 
safeguards  to  the  expected  loss  with  safeguards  for  each 
subsystem  was  calculated  as  follows: 

Loas-ltatio=(VL*(BC+RC) )  /  ((VL*((1  -  %SAFE)*(BC+RC)))+CSG) 
Where  : 

VL*(BC-t-RC}  »  the  expected  loss  if  no 
safeguards  are  implemented 

(VL*((1  -  %SAFE)  *(BC't-RC} ) -fCSG)«  the  expected  loss  with 

safeguards  implemented 
%SAF£  *  the  percentage  of 

protection  provided  by  the 
safeguards  ( its  effectiveness) 

Therefore,  the  Cost-Benefit  lUitio  for  an  unprotected  subsystem 
was  calculated  as  follows: 

Cost-Benefit  Ratio  »  BSNG  /  CSFG 
Where: 

BSMG  »  Benefit  per  subsystem  from  safeguards 
«  the  expected  loss  if  no  safeguards 
are  implemented  minus  the  expected 
loss  with  safeguards  implemented 
«  (VL*BC)  -  (VL*((1  -  %SAFE)BC)) 

CSFG  -  Cost  per  subsystem  for  safeguard 
*  CSG 
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Recalling  that  the  VL  *  20%,  the  expected  cost  of  loss  without 
safeguards  to  the  expected  cost  of  loss  with  safeguards  is: 

Coat  of  faeaa  clthoot  MoauaaCa  ■  (.ao*a4M.lo) 

•  tltd.ca 

■vootoc  Coat  of  iMa  Utt  MafnaaCa  •  <<.a0*((l-.fl)*l4Sl.lD))*S11.0S) 

i«aa  latio  •  (.3o*i4St.i0)  /  ((.ao*((i-.»f)*i45i.40))*^$ii.o») 

-  14fl.«3  /  sat. >7 
>  a.a  /  1 

-3/1 

The  Cost-Benefit  Ratio  for  an  unprotected  subsystem  was 
calculated  as  follows: 

■spaovaC  CaMga  sat  aubayacaa  Cua  to  aceaaa  vulaaialfttllty  llfcallbooC  o(  .10  (txoa  abova)  la  •  futt.ta 
(vhleb  ia  cha  axpaetad  daMga  pat  aubayacaa  witmoot  aafatviatCt) 

■xpaotad  daaaca  pat  aobiyataa  with  aafaguazda  <ftea  aLiOva)  It  CM* >*7 
TiMtatoiai 

Baaatlt  pas  aubaytcaa  (xos  aalaguatoa  (aata)  •  (npaotaC  dtaapa)  *  (txpaotaC  daaaga  w/aataguaxda) 

•  Ktl.ta  •  sat. 07 

•  $11*1. as 

Coat  pat  aubayatoB  toi  tafaguaid  (CdPO)  -  tSlS.OS 
Coat-Banaflt  Patio  (lot  aaeb  luhayataal  •  aam  /  caro 

-  (iifi.as)  /  (511. OS)  •  a. 3 


Tbaxatoxa,  tha  Oeat'aoaitit  Katio  -  a. 3 


a  /  I 
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Thtt««  figures  demonstrate  that  for  every  dollar  spent  on 
safeguarding  an  unguarded  systen,  the  user  will  avoid  spending 
approximately  3  dollars  (loss  ratio  «  3/1).  For  every  dollar 
spent,  the  user  will  save  2  dollars  (cost  benefit  ratio  « 
2/1) .  If  the  user  does  not  select  this  wise  choice,  then 
according  to  the  vulnerability  estimate,  he  could  end  up 
spending  an  additional  $1161.65  due  to  rogue  program  infection 
and  associated  losses. 


4.6  Attack  Methodology  Variations 

In  the  above  experiment,  the  intruder  Inserted  rogue  code  into 
a  targeted  host  via  RF  by  replacing  the  first  valid  packet 
with  a  rogue  packet.  Insertion  can  also  be  accomplished  by 
replacing  any  packet  in  the  data  stream;  however,  it  is  more 
difficult  to  Insert  rogue  code  successfully  into  other  data 
stream  locations  because  the  timing  sequence  and  packet  order 
become  more  important.  After  the  first  packet,  the  rogue  code 
could  accomplish  many  different  tasks  such  as  deleting  files, 
modifying  programs,  capturing  programs  or  propagating  its 
rogue  code  to  other  computing  systems.  In  all  these  cases, 
the  code  would  be  more  complicated  and  would  require  more  than 
two  packets.  Moreover,  the  intruder  host  can  masquerade  as 
the  receiving  host  as  well  as  the  sending  host,  thereby  having 
the  capability  to  eavesdrop  on  transmissions.  The  intruder  is 
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able  to  masquerade  as  the  receiving  host  assuming  that  the 
intruder  knows  the  hostname  of  the  bonafide  receiver  host  as 
well  as  using  the  same  hardware  with  the  appropriate  settings. 
Acknowledgments  from  the  intruder  are  not  a  concern  because 
the  protocol  will  discard  any  duplicate  acknowledgements. 
Also,  the  rogue  code  can  accomplish  many  other  tasks,  but  the 
more  tasks  it  pursues,  the  more  rogue  code  required,  the  more 
chances  of  something  going  wrong  and,  hence,  the  more  prone 
the  rogue  code  is  to  detection. 


4.7  Conclusions 

This  dissertation  demonstrated  that  unprotected  wireless  LANs 
are  more  vulnerable  to  rogue  program  attack  than  traditional 
LANs.  This  vulnerability  was  demonstrated  by  developing  and 
instantiating  an  abstract  model  of  the  rogue  code  insertion 
process  into  a  targeted  wireless  communications  system  that 
used  RF  atmospheric  signal  transmission. 

The  model  was  general  enough  to  apply  it  to  widely  used  target 
environments  such  as  the  UNIX,  Macintosh  and  DOS  operating 
systems.  In  this  experiment,  the  model  was  instantiated  on  a 
DOS-based  system  that  used  a  Local  Area  Wireless  Network 
(LAWN)  connection. 
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This  experiment  to  instantiate  the  abstract  model  in  chapter 
3  to  insert  rogue  code  into  a  targeted  host  was  successful. 
The  author  used  the  ISO  8473  Connectionless-mode  Network 
Protocol^’*  (CLNP)  for  network- level  connectivity,  and  the 
Trivial  File  Transfer  Protocol^**  (TFTP) ,  as  its  basic 
transmission  protocol  through  applications  level  connectivity 
to  insert  the  rogue  program.  Three  IBM  PC-compatible  computer 
systems  were  connected  by  RF  LAN,  using  O'Neill 
Communications'  Local  Area  Wireless  Network  (LAWN)  modules. 
The  author  copied  a  file  between  the  two  legitimate  computer 
systems  to  ensure  that  the  file  transfer  software  worked.  The 
third  spurious  computer  system,  the  imposter,  then  inserted 
rogue  code  into  the  data  stream  as  the  file  was  being 
transferred  a  second  time  between  the  same  two,  legitimate 
computer  systems.  The  innocent  recipient  executed  the  rogue 
code  when  it  executed  the  infected  file,  thereby  illustrating 
the  rogue  code's  successful  insertion.  Two  defense  measures, 
CRCs  and  checksumming,  to  prevent  rogue  code  insertions  via  RF 
were  examined. 
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The  technique  to  Instantiate  the  abstract  model,  ising 
specific  protocols  (CLNP  and  TFTP)  and  O'Neill's  (ju?:.WN) 
wireless  communication  modules,  may  be  generalized.  The 
principles  and  the  technique  used  remain  valid  for  other 
protocols  and  other  communication  modules.  Inserting  rogue 
programs  can  be  more  complex  and  sometimes  near  impossible 
with  current  technology,  but  with  unlimited  time  and 
resources,  it  can  be  done. 
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Chapter  5  C0MTRZBUTI0H8,  COMCL08ION3  AHD  IlfPLICATI0N8  FOR 
FUTURE  RB8BARCH 

S.l  Contributlona 

Wireless  LANs  are  becoming  more  and  more  popular.  This 
popularity  increases  the  opportunities  for  intruders  to  infect 
computing  systems  via  RF.  The  hardware  and  softv:%re 
telecommunication  components,  the  specifications  for  each 
component  and  the  technology  to  inject  rogue  programs  via  RF 
communication  channels  are  proven  and  readily  available. 
Unauthorized  users  can  purcha£>e  "Telecommunication  Saturday 
Night  Specials"  at  many  electronics  outlet  to  insert  rogue 
code  into  a  communication  channel  via  RF  eurreptlously. 

This  dissertation  makes  three  major  theoretical  and  three 
proof  of  concept  contributions.  The  first  major  theoretical 
contribution  is  the  development  of  an  abstract  model  of  the 
rogue  code  insertion  process  into  a  wireless  network  using  RF. 

The  second  major  theoretical  contribution  is  the  development 
of  the  methodology  and  three  modules  to  generate  rogue  code 
and  Insert  it  into  a  wireless  LAN.  The  three  modules  are  the 
prober,  activator,  and  trigger  modules. 
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The  third  major  theoretical  contribution  is  the  inclusion  of 
the  vTi  into  the  abstract  model.  This  was  accomplished  by 
combining  Fred  Cohen's^’*  and  Linda  Rutledge 's^^’  works  with 


the  proposed  topological,  vector  and  functional  factors,  to 
establish  a  computing  system's  VL  to  rogue  program  threats. 

The  first  proof  of  concept  contribution  is  the  finding  that 
inadequately  protected  wireless  LANs  are  more  vulnerable  to 
rogue  program  attack  than  traditional  LANs.  Because  of  their 
inherent  characteristics,  wireless  LANs  have  unique  security 
concerns.  They  run  not  only  the  same  risks  as  traditional 
LANs,  but  they  also  have  the  additional  risks  associated  with 
an  open  transmission  medium.  Intruders  can  scan  radio  waves, 
and  given  sufficient  time  and  resources,  they  can  interrupt, 
analyze,  decipher  and  reinsert  data  into  the  communication 
medium. 
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The  second  proof  of  concept  contribution  is  the  demonstration 
that  rogue  code  could  be  successfully  inserted  into  a  target 
host  via  RF.  This  will  not  only  make  the  computing  community 
aware  of  wireless  LANs'  inherent  vulnerabilities,  but  the 
insertion  will  also  help  the  community  identify,  analyze  and 
neutralize  these  weaknesses  and  defend  against  unauthorized 
users . 

The  third  proof  of  concept  contribution  is  the  cost-benefit 
component  of  the  abstract  model.  The  component  demonstrated 
that  it  generally  costs  users  significantly  more  not  to  employ 
safeguards  on  their  wireless  LANs  than  to  employ  safeguards. 

5.2  Conclusions 

The  value  of  this  work  is  that  this  study  can  be  applied  to 
the  UNIX,  MVS,  Macintosh  and  other  operating  systems  or  other 
related  telecommunication  spheres,  such  as  cellular  phones, 
automatic  bank  tellers,  short  wave  communications,  electronic 
warfare,  and  satellite  manipulation  applications. 

Cellular  phones  are  popular  with  all  population  sectors.  By 
the  end  of  1994,  millions  of  people  will  have  cellular  phones 
in  the  USA  alone  and  thousands  more  will  have  cellular 
modems^^‘.  This  technology  has  provided  ample  opportunity  for 
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companies  to  m2Uce  money  and  "would  be  intruders”  to  cause 
havoc  using  the  various  methods  of  communicating  through  the 
air.  Some  of  these  methods  include^^'’: 

1.  Cellular  Digital  Packet  Data  (CDPD) ,  which  is  an 
emerging  technology  that  transmits  data  over  cellular 
networks  by  inserting  data  packets  into  unused  voice 
channels.  Its  main  use  is  likely  to  be  for  short,  bursty 
transactions,  such  as  mobile  credit-card  authorizations. 

2.  Circuit-switched  cellular,  which  uses  today's  cellular 
network  to  transfer  connection-oriented  data  via  a 
cellular  modem. 

3.  Mobile  satellite  service,  which  is  voice  and 
messaging-oriented  technology  targeted  at  places  without 
an  existing  wired  Infrastructure. 

4.  Paging,  which  is  a  one-way  data  messaging  and 
broadcast  technology. 

5.  Enhanced  Mobile  Radio,  which  is  voice  and  data 
technology . 

For  example^^*,  UPS  uses  CDPD-like  technology  today  to  the  tune 
of  510,000  to  520,000  calls  per  day. 

Short  wave,  electronic  warfare'”,  and  satellite  manipulation 
applications  are  other  areas  which  will  become  more  vulnerable 
as  technology  improves.  They  all  function  within  the  radio 


frequency  spectrum.  For  example,  the  FCC  recent  announcement 
to  allocate  thin  slices  of  spectrum  in  the  2 '-GHz  range  to 
potential  service  providers  may  give  unauthorized  users  the 
opportunity  to  gain  access  for  illegitimate  purposes. 

5.3  Future  Work 

This  work  points  out  the  need  for  more  research  in  protocol 
design.  The  current  protocol  suite*  use  layers  to  reduce 
their  design  complexity  and  provide  well-defined  interfaces 
between  the  layers,  so  that  a  change  on  one  layer  doesn't 
affect  an  adjacent  layer.  The  protocol  suites  are^'°: 

1.  the  TCP/IP  protocol  suite  (the  Advanced  Research 
Projects  Agency  (ARPA)  Internet  protocols) , 

2.  Xerox  Network  Systems  (Xerox  NS  or  XNS) , 

3.  IBM's  Systems  Network  Architecture  (SNA), 

4.  IBM  ^  NetBIOS, 

5.  the  OSI  protocols, 

6.  Unix-to-Unix  Copy  (UUCP). 


*  A  protocol  svii.te  is  a  oolleotion  of  protocols  from  more 
than  one  layer  that  forms  the  basis  of  a  useful  network. 
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Each  of  these  protocol  suites  define  different  protocols  at 
different  layers,  such  as  Trivial  File  Transfer  protocol 
(TFTP)  is  one  specific  user  process  whose  protocol  is  defined 
by  the  TCP/IP  protocol  suite. 

Protocols  provide  resource  sharing  and  interconnection; 
security  was  not  a  sajor  factor.  These  protocols  generally  do 
not  have  duplicate  packet  checking,  resulting  In  discarding 
any  duplicate  packets.  The  rogue  code  exploited  this  protocol 
characteristic  in  chapter  3  to  Insert  the  rogue  code  into  the 
conmunlcation  stream  of  a  targeted  host  via  RF.  More  robust 
protocols  would  minimize  the  threats  delineated  in  this 
dissertation. 

Another  extension  of  this  dissertation  for  future  researchers 
Is  to  conduct  an  empirical  analysis  of  the  Accessibility 
Vulnerability  Likelihood.  This  dissertation  only  discussed 
the  variability  of  VL  as  n  doubles  with  the  other  parameters 
remaining  the  same.  As  expected  the  normalized  value  of  VL 
remains  the  same.  Further  study  Is  needed  to  determine  the 
effects  of  VL  as  all  parameters  vary  to  provide  a 
comprehensive  perspective  of  how  accessible  networks  are  to 


rogue  programs. 


APPBHDZZ  1  -  ZHITIZLISATIOM  CODE 


mitlaliiation  cod#  for  Boat  A>rcn  fBtart.Bat) 

PATH«a:  \  ;b:  \  ;b:  \clnpt8r  ;b:  \clnpiiigr  ;a:  \packet 
SET  KOSTNAME-aaron 
prompt  $t$h$h$h  $p$g 
a: 

cd  Vpacket 
call  lla%m 
b: 

cd  \clnptsr 
clnptsr 
cd  \clnpmgr 


laltlalliatlon  code  for  Boat  Bob  (start. Bat) 

PATH*a; \ ;b: V ;b; \clnptsr ;ta: \clnpmgr ;a: \packet 
SET  HOSTNAME-bob 
prompt  $t$h$h$h  $p$g 

a: 

cd  Vpacket 
call  llawn 
b: 

cd  V clnptsr 
clnptsr 
cd  Vclnpmgr 


mitlaliiatlon  Code  for  Host  intruder  (Start. Bat) 

PATH-a : V ; b : V » b : Vclnptsr ; b : Vclnpmgr ; a : Vpacket 
SET  HOSTNAHE-intruder 
prompt  $t$h$h$h  $p$g 

a: 

cd  VPAcket 
call  Hawn 
b: 

cd  Vclnptsr 
clnptsr 
cd  Vclnpmgr 
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APPBMDXZ  2  -  ZOOUB  PZOQRIUC  CODS 


.Tttxt  segment  byte  public  "code" 

.Text  ends 
Assume  CS :  . Text 
Text  segment 

Lcbel  msgbegln  near 

db  "This  program  has  been  infected  by 

virus" , 0 

Label  msgsend  near 

Virus  proc  near 

mov  bx,2 

mov  cx, offset  (  msgsend  -  msgbegln  ) 
mov  dx,C8 
mov  ds,dx 

mov  dx,  offset  msgbegln 

mov  ah«  48H 

Int  21H 

mov  ah|4cH 

Int  21H 

Virus  enddp 

.Text  ends 
. Data  segment 
. Data  end 

End  virus 


harmless 
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